From 8991c76eea0dd922ea2944df61de26eb8b776540 Mon Sep 17 00:00:00 2001 From: chase-moxley Date: Thu, 5 Feb 2026 20:43:39 -0600 Subject: [PATCH] Update: Make statedump data readable format Statedump is used in parser creation and troubleshooting. --- src/secops/cli/commands/parser.py | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/secops/cli/commands/parser.py b/src/secops/cli/commands/parser.py index a9574be..ef777da 100644 --- a/src/secops/cli/commands/parser.py +++ b/src/secops/cli/commands/parser.py @@ -4,6 +4,7 @@ import argparse import base64 +import json import sys from secops.cli.utils.common_args import add_pagination_args @@ -405,6 +406,29 @@ def handle_parser_run_command(args, chronicle): logs, args.statedump_allowed, ) + + # --- Transform the Statedump String into a JSON Object --- + if args.statedump_allowed and "runParserResults" in result: + for res in result.get("runParserResults", []): + for item in res.get("statedumpResults", []): + raw = item.get("statedumpResult", "") + try: + # Find the JSON part + json_start = raw.find("{") + if json_start != -1: + header = raw[:json_start].strip() + data = json.loads(raw[json_start:]) + + # REPLACE the raw string with a structured dictionary + # This modifies 'result' in-place + item["statedumpResult"] = { + "info": header, + "state": data + } + except (ValueError, IndexError): + # If parsing fails, leave the original string alone + pass + # --------------------------------------------------------- output_formatter(result, args.output) @@ -416,4 +440,4 @@ def handle_parser_run_command(args, chronicle): sys.exit(1) except Exception as e: # pylint: disable=broad-exception-caught print(f"Error running parser: {e}", file=sys.stderr) - sys.exit(1) + sys.exit(1) \ No newline at end of file