Confusion about json_t

Open rmouritzen-splunk opened this issue 1 year ago • 2 comments

The json_t type has ended up with two interpretations:

Options

Option 1: `json_t` is the any type

The json_t is an any type, meaning any valid JSON type can be placed here.
When OCSF events are expressed as JSON, attributes of this value are the any valid JSON type.
When OCSF events are expressed in serialization formats like Protobuf, a variant type would need to be defined and used, or the valid would need to be expressed in JSON. Either way, this is somewhat complicated.

Option 2: `json_t` is a string containing JSON

The json_t is a string that is a JSON encoding of any valid JSON.
When OCSF events are expressed as JSON, attributes of this type are double encoded.
When OCSF events are expressed in serialization formats like Protobuf, attributes of this type are a string containing JSON.

Note

The original intent was json_t is an any type. However actually usage has ended up split between the two interpretations above. Changing to either interpretation will cause pain for some members of the community, so both interpretations should be up for consideration going forward.

Jan 30 '24 18:01 rmouritzen-splunk

ocsf-schema ocsf-schema copied to clipboard

Confusion about json_t

Options

Option 1: json_t is the any type

Option 2: json_t is a string containing JSON

Note

ocsf-schema
ocsf-schema copied to clipboard

Option 1: `json_t` is the any type

Option 2: `json_t` is a string containing JSON