How to fix and parse broken JSON lines from webhook input?

Questions
1

Hi everyone,

I’m receiving data from an Elasticsearch alert into an n8n webhook, but the content is not coming in as valid JSON. Instead, it’s a broken JSON object inside the body field, and I want to split it into proper fields so I can use them (e.g., to create a case in TheHive).

Here’s an example of the incoming webhook payload:

json

t

[
  {
    "headers": {
      "accept": "application/json, text/plain, */*",
      "content-type": "application/x-www-form-urlencoded",
      "user-agent": "*",
      "content-length": "706",
      "accept-encoding": "gzip, compress, deflate, br",
      "traceparent": "***",
      "host": "*:*",
      "connection": "keep-alive"
    },
    "params": {},
    "query": {},
    "body": {
      "{\r\n  \"alert\": \"attack Detected\",\r\n  \"timestamp\": \"***\",\r\n  \"source_ip\": \"***\",\r\n  \"destination_ip\": \"***\",\r\n  \"source_port\": \"56770\",\r\n  \"destination_port\": \"*\",\r\n  \"rule_name\": \"SQL Injection Detected\",\r\n  \"rule_category\": \"Web Application Attack\",\r\n  \"message\": \"Web Application Attack\",\r\n  \"url\": \"/***/**/",
      "Submit": "Submit\",\r\n  \"user_agent\": \"curl/8.5.0\",\r\n  \"network_protocol\": \"http\",\r\n  \"http_method\": \"GET\",\r\n  \"http_status\": \"302\",\r\n  \"community_id\": \"1:***\",\r\n  \"flow_id\": \"***\",\r\n  \"signature_id\": \"100\",\r\n  \"observer_hostname\": \"\"\r\n}\r\n"
    },
    "webhookUrl": "http://***",
    "executionMode": "test"
  }
]

My Goal:

I want to extract this broken JSON (currently a single malformed string) and parse it into proper fields (like source_ip, destination_ip, rule_name, etc.) so I can create a structured alert in TheHive.

Problem:

  • The JSON inside the body is not parsed correctly.
  • It looks like it’s been double-stringified or corrupted — especially around the url and Submit fields.
  • I’m struggling to split or fix this and use it inside a Code node.

What I Need:

  • How can I clean up and parse this kind of input inside an n8n Code node?
  • Should I manually fix certain parts or is there a pattern to handle this cleanly?
  • Any tips on handling similar malformed input from Elasticsearch alerts?

Thanks in advance! Any help or example code would be greatly appreciated.

2

You can try using something like this in node code, to be able to meet the objective or anything else. In my case, I managed to section a JSON and even create section tools, such as if it has rules to validate in the same JSON.

const items = $input.all();

function extractValidJsonString(input) {
  const jsonRegex = /{[\s\S]*}/g;
  const match = input.match(jsonRegex);
  if (!match) return null;

  try {
    return JSON.parse(match[0]);
  } catch (error) {
    return null;
  }
}

return items.map(item => {
  const originalBody = item.json.body;

  // Asumimos que el JSON malformado está en la clave del body
  const bodyKeys = Object.keys(originalBody);
  let embeddedJsonString = bodyKeys[0] || '';
  
  const cleanedJson = extractValidJsonString(embeddedJsonString);

  return {
    json: {
      ...item.json,
      extractedBody: cleanedJson,
    }
  };
});
1 Like
3

Thank u it works

4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.