May 10 2019 04:45 AM
I have two playbooks that collect logs in JSON format from a 3rd party API (Proofpoint TAP and Cisco AMP for endpoints). When I run the playbooks I can see that each one gets data from the third party API. But then it fails to send it to log analytics with these errors.
TAP:
ExpressionEvaluationFailed. The execution of template action 'For_each' failed: the result of the evaluation of 'foreach' expression '@body('HTTP')' is of type 'String'. The result must be a valid array.
AMP:
ExpressionEvaluationFailed. The execution of template action 'For_each' failed: the result of the evaluation of 'foreach' expression '@body('HTTP')' is of type 'Object'. The result must be a valid array.
Both of them use the HTTP connector to get the data. Is there another step I need to do in between to get the data ready to import into log analytics?
May 13 2019 02:46 PM
May 13 2019 02:59 PM
Solution
Ofer and I discussed offline. The solution is detailed here:
One thing I would note, for the Proofpoint playbook, even after adding the step to parse the JSON I would get errors like “expected integer but got a number” or “expected string and got null.” The fix was to go back into the schema in the step and find places where the value was integer and set it to allow an integeor or a number. Same thing for string, allow string or null.
May 13 2019 02:59 PM
Solution
Ofer and I discussed offline. The solution is detailed here:
One thing I would note, for the Proofpoint playbook, even after adding the step to parse the JSON I would get errors like “expected integer but got a number” or “expected string and got null.” The fix was to go back into the schema in the step and find places where the value was integer and set it to allow an integeor or a number. Same thing for string, allow string or null.