https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628047#M107773 <P>performing the following search:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JCANDIAT_0-1674510125746.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23500i8F3816A6C5B20A51/image-size/medium?v=v2&amp;px=400" role="button" title="JCANDIAT_0-1674510125746.png" alt="JCANDIAT_0-1674510125746.png" /></span></P> <P>I get this result. I need to parser this information, building a table excel type. The information is in JSON format, so a UPLOAD in SPLUNK.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JCANDIAT_2-1674510242190.png" style="width: 852px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23502i8254A44A6E850A6F/image-dimensions/852x332?v=v2" width="852" height="332" role="button" title="JCANDIAT_2-1674510242190.png" alt="JCANDIAT_2-1674510242190.png" /></span></P> <P>Like this:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JCANDIAT_3-1674510280139.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23503i63FC2CF925320919/image-size/medium?v=v2&amp;px=400" role="button" title="JCANDIAT_3-1674510280139.png" alt="JCANDIAT_3-1674510280139.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 25 Jan 2023 16:36:10 GMT JCANDIAT 2023-01-25T16:36:10Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628047#M107773 <P>performing the following search:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JCANDIAT_0-1674510125746.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23500i8F3816A6C5B20A51/image-size/medium?v=v2&amp;px=400" role="button" title="JCANDIAT_0-1674510125746.png" alt="JCANDIAT_0-1674510125746.png" /></span></P> <P>I get this result. I need to parser this information, building a table excel type. The information is in JSON format, so a UPLOAD in SPLUNK.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JCANDIAT_2-1674510242190.png" style="width: 852px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23502i8254A44A6E850A6F/image-dimensions/852x332?v=v2" width="852" height="332" role="button" title="JCANDIAT_2-1674510242190.png" alt="JCANDIAT_2-1674510242190.png" /></span></P> <P>Like this:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JCANDIAT_3-1674510280139.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23503i63FC2CF925320919/image-size/medium?v=v2&amp;px=400" role="button" title="JCANDIAT_3-1674510280139.png" alt="JCANDIAT_3-1674510280139.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 25 Jan 2023 16:36:10 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628047#M107773 JCANDIAT 2023-01-25T16:36:10Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628049#M107775 <P>This might be easier from the _raw JSON events. Please can you share anonymised events in a code block &lt;/&gt;</P> Mon, 23 Jan 2023 23:12:18 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628049#M107775 ITWhisperer 2023-01-23T23:12:18Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628052#M107776 <P>{"Threat_hunting": {<BR />"cliente": "paginaejemplo.com.ar",<BR />"data": {<BR />"1": {<BR />"identificador": "551e5ae3-133a-463e-b3db-404f9e33ce1c",<BR />"name": "ES_139.47.115.rar/passwords.txt",<BR />"date": "2023-01-11T06:12:26.576428Z",<BR />"credenciales": {<BR />"1": {<BR />"Application": "Chrome (v106.0.5249.91-64, Profile",<BR />"URL": "<A href="https://www.paginaejemplo.com.ar" target="_blank">https://www.paginaejemplo.com.ar</A>",<BR />"Username": "",<BR />"Password": "dddddddd"<BR />},<BR />"2": {<BR />"Application": "Chrome (v106.0.5249.91-64, Profile",<BR />"URL": "<A href="https://www.paginaejemplo.com.ar" target="_blank">https://www.paginaejemplo.com.ar</A>",<BR />"Username": "",<BR />"Password": "bbbbbb"<BR />},<BR />"3": {<BR />"Application": "Chrome (v106.0.5249.91-64, Profile",<BR />"URL": "<A href="https://www.paginaejemplo.com.ar" target="_blank">https://www.paginaejemplo.com.ar</A>",<BR />"Username": "",<BR />"Password": "aaaaaa"<BR />}<BR />}<BR />},<BR />"2": {<BR />"identificador": "b540adda-6f78-40d7-bef4-f3413024fc71",<BR />"name": "AR[8BB40128FD52DCE2DD16C34FE4DA496E] [2022-11-05T18_37_34.rar/ AR[8BB40128FD52DCE2DD16C34FE4DA496E] [2022-11-05T18_37_34/Passwords.txt",<BR />"date": "2023-01-14T05:11:44.593095Z",<BR />"credenciales": {<BR />"1": {<BR />"URL": "<A href="https://www.paginaejemplo.com.ar" target="_blank">https://www.paginaejemplo.com.ar</A>",<BR />"Username": "UNKNOWN",<BR />"Password": "fffffff",<BR />"Application": "Google_[Chrome]_Profile 1"<BR />}<BR />}<BR />}<BR />}<BR />}<BR />}</P> Mon, 23 Jan 2023 23:21:25 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628052#M107776 JCANDIAT 2023-01-23T23:21:25Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628056#M107777 <P>Try something like this</P><LI-CODE lang="markup">| rex field=key "Threat_hunting\.data\.(?&lt;data&gt;\d+)\.credenciales\.(?&lt;credencial&gt;\d+)\.(?&lt;key&gt;\w+)" | eval {key}=value | fields data credencial Application Password URL Username | stats values(*) as * by data credencial</LI-CODE> Tue, 24 Jan 2023 00:31:39 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628056#M107777 ITWhisperer 2023-01-24T00:31:39Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628139#M107805 <P>Thank you very much!!!</P><P>It works!</P> Tue, 24 Jan 2023 13:31:41 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628139#M107805 JCANDIAT 2023-01-24T13:31:41Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628207#M107819 <P>Dear,&nbsp;</P><P>How can i build this structure, have in mind the identification label?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JCANDIAT_1-1674594086796.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23523iE71109BA859FF173/image-size/medium?v=v2&amp;px=400" role="button" title="JCANDIAT_1-1674594086796.png" alt="JCANDIAT_1-1674594086796.png" /></span></P><P>grateful for your help</P><P>&nbsp;</P> Tue, 24 Jan 2023 21:02:41 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628207#M107819 JCANDIAT 2023-01-24T21:02:41Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628211#M107820 <LI-CODE lang="markup">| rex field=key "Threat_hunting\.data\.(?&lt;data&gt;\d+)\.credenciales\.(?&lt;credencial&gt;\d+)\.(?&lt;key&gt;\w+)" | rex field=key "Threat_hunting\.data\.(?&lt;data&gt;\d+)\.(?&lt;key&gt;identificador|date)" | eval {key}=value | fillnull value=0 credencial | fields data credencial identificador date Password URL Username | stats values(*) as * by data credencial | eventstats values(date) as date values(identificador) as identificador by data | where credencial != 0</LI-CODE> Tue, 24 Jan 2023 22:40:21 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628211#M107820 ITWhisperer 2023-01-24T22:40:21Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628216#M107821 <P>thank you very much for your knowledge!</P> Tue, 24 Jan 2023 23:44:44 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Table-Format-JSON/m-p/628216#M107821 JCANDIAT 2023-01-24T23:44:44Z