JSON Schema Validation

msr1716 · March 8, 2023, 3:35pm

Hey, I understand correctly, Cribl can validate specific JSON Schema per: Schemas Library | Cribl Docs
It looks as if it will drop events that lack specific fields. Is it correct to say that I can use the Json Schemas to have Cribl determine if my JSON of 5 values (A, B, C, D, and E) has at least values A, B. and C, even if D and E are present?

I am asking if I can use the schema to validate that every event has at least these 3 fields present that I specify or else drop the event? They can have 100 fields, but if they dont include the 3 I need, then drop it. But if the 100 field event has the 3 I need, then it’s good.

david · March 13, 2023, 1:44pm

Notice the first event isValid=='true' but second event isValid=='false'

Sample Schema:

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "properties": {
    "field1": {"type": "string"},
    "field2": {"type": "string"},
    "field3": {"type": "string"},
    "field4": {"type": "string"},
    "field5": {"type": "string"}
  },
  "required": ["field1", "field2", "field3"],
  "anyOf": [
    {"required": ["field4"]},
    {"required": ["field5"]},
    {"required": ["field4", "field5"]}
  ]
}

msr1716 · March 13, 2023, 3:15pm

@david thanks. So this means that I could have fields 1,2, and 3 required and combinations of 4 and 5. But that works if there are only 5 fields. Is there a way to say: “Check for fields 1, 2, and 3” and who cares about 4 and 5?" and still return true?? I ask this because that works great for 5 fields, but for something like checking for compatibility with a schema such as ECS that has a lot of fields, it would become almost unfeasible to build it out this way without taking hours to do so.