Menu
I'm attempting to match events using an eventbridge rule. However I need to match the event if it's array contains an object with some particular properties and I'm struggling with how to do that.
An example event:
{
"version": "0",
"id": "396bfea8-6311-c1ab-44cf-d44d93014a89",
"detail-type": "ExampleEvent",
"source": "example.com",
"account": "207772098559",
"time": "2020-05-31T19:44:55Z",
"region": "eu-west-1",
"resources": [],
"detail": {
"Id": "2fbf7f1b0b0f462ba16b6076812f1b77",
"Data": {
"entities": [
{
"entityType": "task",
"action": "update",
"entityId": "bbf74ec6-8762-48d6-b09f-23a97834fc2f"
},
{
"entityType": "note",
"action": "update",
"entityId": "bbf74ec6-8762-48d6-b09f-23a97834fc2f"
}
]
}
}
}
I would like the rule to match where the entities collection contains any items with both entityType task and action update. I'd imagined it would look like the below but this gets the error "Unrecognized match type entityType" as it's thinking that the object inside the array means I'm trying to use one of the supported match types.
{
"source": [
"example.com"
],
"detail-type": [
"ExampleEvent"
],
"detail": {
"Data": {
"entities": [
{
"entityType": [
"Task"
],
"action": [
"update"
]
}
]
}
}
}
537
asked Sep 17 '25 23:09
Hopefully I am answering your question and you are not trying to pull a single entity out of the event, instead I think you are asking how to match this event.
This is a matched event for the object array. I removed the array is the matched event and I lowercased the Task entityType filter since it is case-sensitive.
{
"source": [
"example.com"
],
"detail-type": [
"ExampleEvent"
],
"detail": {
"Data": {
"entities": {
"entityType": [
"task"
],
"action": [
"update"
]
}
}
}
}
Example 2:
Here is another example with that is more nesting and mixture of array and object. As you can it treats arrays and objects the same. This is a Redshift alarm that is producing high disk space.
{
"version": "0",
"id": "c4c1c1c9-6542-e61b-6ef0-8c4d36933a92",
"detail-type": "CloudWatch Alarm State Change",
"source": "aws.cloudwatch",
"account": "123456789012",
"time": "2019-10-02T17:04:40Z",
"region": "us-east-1",
"resources": ["arn:aws:cloudwatch:us-east-1:123456789012:alarm:ServerMemoryTooHigh"],
"detail": {
"alarmName": "ServerDiskSpaceTooHigh",
"configuration": {
"description": "Goes into alarm when server Disk Space utilization is too high!",
"metrics": [{
"id": "30b6c6b2-a864-43a2-4877-c09a1afc3b87",
"metricStat": {
"metric": {
"dimensions": {
"InstanceId": "i-12345678901234567"
},
"name": "PercentageDiskSpaceUsed",
"namespace": "AWS/Redshift"
},
"period": 300,
"stat": "Average"
},
"returnData": true
}]
},
"previousState": {
"reason": "Threshold Crossed: 1 out of the last 1 datapoints [0.0666851903306472 (01/10/19 13:46:00)] was not greater than the threshold (50.0) (minimum 1 datapoint for ALARM -> OK transition).",
"reasonData": "{\"version\":\"1.0\",\"queryDate\":\"2019-10-01T13:56:40.985+0000\",\"startDate\":\"2019-10-01T13:46:00.000+0000\",\"statistic\":\"Average\",\"period\":300,\"recentDatapoints\":[0.0666851903306472],\"threshold\":50.0}",
"timestamp": "2019-10-01T13:56:40.987+0000",
"value": "OK"
},
"state": {
"reason": "Threshold Crossed: 1 out of the last 1 datapoints [99.50160229693434 (02/10/19 16:59:00)] was greater than the threshold (50.0) (minimum 1 datapoint for OK -> ALARM transition).",
"reasonData": "{\"version\":\"1.0\",\"queryDate\":\"2019-10-02T17:04:40.985+0000\",\"startDate\":\"2019-10-02T16:59:00.000+0000\",\"statistic\":\"Average\",\"period\":300,\"recentDatapoints\":[99.50160229693434],\"threshold\":50.0}",
"timestamp": "2019-10-02T17:04:40.989+0000",
"value": "ALARM"
}
}
}
Here is the matched event:
{
"detail-type": ["CloudWatch Alarm State Change"],
"source": ["aws.cloudwatch"],
"detail": {
"configuration": {
"metrics": {
"metricStat": {
"metric": {
"name": ["PercentageDiskSpaceUsed"],
"namespace": ["AWS/Redshift"]
}
}
}
},
"state": {
"value": ["ALARM"]
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With