Hi everyone,
I’m receiving data from an Elasticsearch alert into an n8n webhook, but the content is not coming in as valid JSON. Instead, it’s a broken JSON object inside the body
field, and I want to split it into proper fields so I can use them (e.g., to create a case in TheHive).
Here’s an example of the incoming webhook payload:
json
t
[
{
"headers": {
"accept": "application/json, text/plain, */*",
"content-type": "application/x-www-form-urlencoded",
"user-agent": "*",
"content-length": "706",
"accept-encoding": "gzip, compress, deflate, br",
"traceparent": "***",
"host": "*:*",
"connection": "keep-alive"
},
"params": {},
"query": {},
"body": {
"{\r\n \"alert\": \"attack Detected\",\r\n \"timestamp\": \"***\",\r\n \"source_ip\": \"***\",\r\n \"destination_ip\": \"***\",\r\n \"source_port\": \"56770\",\r\n \"destination_port\": \"*\",\r\n \"rule_name\": \"SQL Injection Detected\",\r\n \"rule_category\": \"Web Application Attack\",\r\n \"message\": \"Web Application Attack\",\r\n \"url\": \"/***/**/",
"Submit": "Submit\",\r\n \"user_agent\": \"curl/8.5.0\",\r\n \"network_protocol\": \"http\",\r\n \"http_method\": \"GET\",\r\n \"http_status\": \"302\",\r\n \"community_id\": \"1:***\",\r\n \"flow_id\": \"***\",\r\n \"signature_id\": \"100\",\r\n \"observer_hostname\": \"\"\r\n}\r\n"
},
"webhookUrl": "http://***",
"executionMode": "test"
}
]
My Goal:
I want to extract this broken JSON (currently a single malformed string) and parse it into proper fields (like source_ip
, destination_ip
, rule_name
, etc.) so I can create a structured alert in TheHive.
Problem:
- The JSON inside the
body
is not parsed correctly. - It looks like it’s been double-stringified or corrupted — especially around the
url
andSubmit
fields. - I’m struggling to split or fix this and use it inside a Code node.
What I Need:
- How can I clean up and parse this kind of input inside an n8n Code node?
- Should I manually fix certain parts or is there a pattern to handle this cleanly?
- Any tips on handling similar malformed input from Elasticsearch alerts?
Thanks in advance! Any help or example code would be greatly appreciated.