Skip output json format (#342)

* Add option to exclude output property in json fmt New falco.yaml option json_include_output_property controls where the formatted string "output" is included in the json object when json output is enabled. By default the string is included. * Add tests for new json output option New test sets json_include_output_property to false and then verifies that the json output does *not* contain the surrounding text "Warning an open...".
2025-09-06 09:12:20 +00:00 · 2018-03-28 11:24:09 -07:00
parent a3f53138d3
commit 2a3ca21779
11 changed files with 45 additions and 11 deletions
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -25,6 +25,7 @@ along with falco.  If not, see <http://www.gnu.org/licenses/>.

 sinsp* falco_formats::s_inspector = NULL;
 bool falco_formats::s_json_output = false;
+bool falco_formats::s_json_include_output_property = true;
 sinsp_evt_formatter_cache *falco_formats::s_formatters = NULL;

 const static struct luaL_reg ll_falco [] =
@@ -36,10 +37,11 @@ const static struct luaL_reg ll_falco [] =
 	{NULL,NULL}
 };

-void falco_formats::init(sinsp* inspector, lua_State *ls, bool json_output)
+void falco_formats::init(sinsp* inspector, lua_State *ls, bool json_output, bool json_include_output_property)
 {
 	s_inspector = inspector;
 	s_json_output = json_output;
+	s_json_include_output_property = json_include_output_property;
 	if(!s_formatters)
 	{
 		s_formatters = new sinsp_evt_formatter_cache(s_inspector);
@@ -155,8 +157,12 @@ int falco_formats::format_event (lua_State *ls)
 		event["time"] = iso8601evttime;
 		event["rule"] = rule;
 		event["priority"] = level;
-		// This is the filled-in output line.
-		event["output"] = line;
+
+		if(s_json_include_output_property)
+		{
+			// This is the filled-in output line.
+			event["output"] = line;
+		}

 		full_line = writer.write(event);