How to fix and parse broken JSON lines from webhook input?

Hi everyone,

I’m receiving data from an Elasticsearch alert into an n8n webhook, but the content is not coming in as valid JSON. Instead, it’s a broken JSON object inside the body field, and I want to split it into proper fields so I can use them (e.g., to create a case in TheHive).

Here’s an example of the incoming webhook payload:

json

t

[
  {
    "headers": {
      "accept": "application/json, text/plain, */*",
      "content-type": "application/x-www-form-urlencoded",
      "user-agent": "*",
      "content-length": "706",
      "accept-encoding": "gzip, compress, deflate, br",
      "traceparent": "***",
      "host": "*:*",
      "connection": "keep-alive"
    },
    "params": {},
    "query": {},
    "body": {
      "{\r\n  \"alert\": \"attack Detected\",\r\n  \"timestamp\": \"***\",\r\n  \"source_ip\": \"***\",\r\n  \"destination_ip\": \"***\",\r\n  \"source_port\": \"56770\",\r\n  \"destination_port\": \"*\",\r\n  \"rule_name\": \"SQL Injection Detected\",\r\n  \"rule_category\": \"Web Application Attack\",\r\n  \"message\": \"Web Application Attack\",\r\n  \"url\": \"/***/**/",
      "Submit": "Submit\",\r\n  \"user_agent\": \"curl/8.5.0\",\r\n  \"network_protocol\": \"http\",\r\n  \"http_method\": \"GET\",\r\n  \"http_status\": \"302\",\r\n  \"community_id\": \"1:***\",\r\n  \"flow_id\": \"***\",\r\n  \"signature_id\": \"100\",\r\n  \"observer_hostname\": \"\"\r\n}\r\n"
    },
    "webhookUrl": "http://***",
    "executionMode": "test"
  }
]

My Goal:

I want to extract this broken JSON (currently a single malformed string) and parse it into proper fields (like source_ip, destination_ip, rule_name, etc.) so I can create a structured alert in TheHive.

Problem:

  • The JSON inside the body is not parsed correctly.
  • It looks like it’s been double-stringified or corrupted — especially around the url and Submit fields.
  • I’m struggling to split or fix this and use it inside a Code node.

What I Need:

  • How can I clean up and parse this kind of input inside an n8n Code node?
  • Should I manually fix certain parts or is there a pattern to handle this cleanly?
  • Any tips on handling similar malformed input from Elasticsearch alerts?

Thanks in advance! Any help or example code would be greatly appreciated.

You can try using something like this in node code, to be able to meet the objective or anything else. In my case, I managed to section a JSON and even create section tools, such as if it has rules to validate in the same JSON.

const items = $input.all();

function extractValidJsonString(input) {
  const jsonRegex = /{[\s\S]*}/g;
  const match = input.match(jsonRegex);
  if (!match) return null;

  try {
    return JSON.parse(match[0]);
  } catch (error) {
    return null;
  }
}

return items.map(item => {
  const originalBody = item.json.body;

  // Asumimos que el JSON malformado está en la clave del body
  const bodyKeys = Object.keys(originalBody);
  let embeddedJsonString = bodyKeys[0] || '';
  
  const cleanedJson = extractValidJsonString(embeddedJsonString);

  return {
    json: {
      ...item.json,
      extractedBody: cleanedJson,
    }
  };
});
1 Like

Thank u it works

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.