<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic PAVO Getwatchlist - nested array parsing and other woes in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/PAVO-Getwatchlist-nested-array-parsing-and-other-woes/m-p/675053#M112994</link>
    <description>&lt;P&gt;Good day,&lt;/P&gt;&lt;P&gt;First I want to say that this add-on is an absolute lifesaver when it comes to getting structured data into Splunk, and if you ever put it up on GitHub please let me know - I'd be happy to contribute.&lt;/P&gt;&lt;P&gt;I have found a few minor issues.&amp;nbsp; I'll be using the following json in my examples:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;{"total":52145,"rows":
[
{"discoverable_guid":"94937859-A157-4C43-94AC-290172D50C4D","component_cpe":{"cpe23":"cpe:2.3:a:oracle:java_runtime_environment:1.8.0_381"},"cve":[]},
{"discoverable_guid":"2B933591-6192-4E42-9DFC-32C361D32208","component_cpe":{"cpe23":"cpe:2.3:a:oracle:jdk\\/sdk:1.8.0_201"},"cve":[]},
{"discoverable_guid":"DD854B8C-5900-518C-B8B6-096285936816","component_cpe":{"cpe23":"cpe:2.3:o:microsoft:windows_defender:4.18.1909.6"},"cve":[{"name":"CVE-2006-5270"},{"name":"CVE-2018-0986"},{"name":"CVE-2021-24092"},{"name":"CVE-2021-1647"},{"name":"CVE-2020-1170"},{"name":"CVE-2020-1163"},{"name":"CVE-2020-0835"},{"name":"CVE-2017-8558"},{"name":"CVE-2017-8541"},{"name":"CVE-2017-8540"},{"name":"CVE-2017-8538"},{"name":"CVE-2017-0290"},{"name":"CVE-2019-1255"},{"name":"CVE-2013-0078"},{"name":"CVE-2011-0037"},{"name":"CVE-2020-1461"},{"name":"CVE-2020-1002"},{"name":"CVE-2019-1161"},{"name":"CVE-2017-8542"},{"name":"CVE-2017-8539"},{"name":"CVE-2017-8537"},{"name":"CVE-2017-8536"},{"name":"CVE-2017-8535"},{"name":"CVE-2008-1438"},{"name":"CVE-2008-1437"}]},
{"discoverable_guid":"ADF7E72A-4A72-4D92-B278-F644E27EA88F","component_cpe":{"cpe23":"cpe:2.3:a:microsoft:.net_framework:4.8.04084"},"cve":[{"name":"CVE-2020-0646"},{"name":"CVE-2020-0606"},{"name":"CVE-2020-0605"},{"name":"CVE-2020-1147"},{"name":"CVE-2022-26832"},{"name":"CVE-2021-24111"},{"name":"CVE-2020-1108"},{"name":"CVE-2019-1083"},{"name":"CVE-2019-1006"},{"name":"CVE-2019-0981"},{"name":"CVE-2019-0980"},{"name":"CVE-2019-0820"},{"name":"CVE-2023-36873"},{"name":"CVE-2022-41064"},{"name":"CVE-2020-16937"},{"name":"CVE-2020-1476"},{"name":"CVE-2019-0864"},{"name":"CVE-2022-30130"}]},
{"discoverable_guid":"2B933591-6192-4E42-9DFC-32C361D32208","component_cpe":{"cpe23":"cpe:2.3:a:oracle:jdk\\/sdk:1.8.0_261"},"cve":[]}
]} &lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;1. There are certain cases where nested json is rendered in splunk with&amp;nbsp; single quotes (') instead of double-quotes("):&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="K_Sukumar_1-1705929951046.png" style="width: 531px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/29065i497A18255D037614/image-dimensions/531x239?v=v2" width="531" height="239" role="button" title="K_Sukumar_1-1705929951046.png" alt="K_Sukumar_1-1705929951046.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;which makes me have to use a&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;| rex mode=sed field=&amp;lt;field_with_nested_json&amp;gt; "s/\'/\"/g"&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;to make it compatible with spath.&lt;/P&gt;&lt;P&gt;&lt;STRIKE&gt;2. The "autoextract=0" option when pulling down json does&amp;nbsp;&lt;STRONG&gt;not&lt;/STRONG&gt; put the contents into a _raw field (as stated in your docs), but instead seems to do first-level extraction -&amp;nbsp;&lt;/STRIKE&gt;&lt;/P&gt;&lt;P&gt;&lt;STRIKE&gt;So a page that contains the following json:&amp;nbsp;&amp;nbsp;&lt;/STRIKE&gt;&amp;nbsp; EDIT - &lt;STRONG&gt;covered in #3 below&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Renders looking like this when I use getwatchlist json &amp;lt;url&amp;gt; autoextract=0&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="K_Sukumar_0-1705929552322.png" style="width: 598px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/29064iA0E286B5334F6E4F/image-dimensions/598x145?v=v2" width="598" height="145" role="button" title="K_Sukumar_0-1705929552322.png" alt="K_Sukumar_0-1705929552322.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;3.&amp;nbsp; &lt;STRIKE&gt;the "dataKey" parameter&lt;/STRIKE&gt;&amp;nbsp;All of the parameters seem to be case-sensitive - "dataKey=rows" produces correct content (below) vs "datakey=rows", which seems to ignore the parameter entirely&lt;/P&gt;&lt;P&gt;4. your docs don't seem to match the feature set or version in all places -&lt;/P&gt;&lt;TABLE border="1" width="100%"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="50%"&gt;Splunkbase "details" tab&lt;/TD&gt;&lt;TD width="50%"&gt;still refers to 1.3.2&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="50%"&gt;Add-on "About" tab (after install)&lt;/TD&gt;&lt;TD width="50%"&gt;refers to 1.3.3, but does not include details of the url parsing features that can only be found in your release notes on Splunkbase&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;&lt;SPAN&gt;&lt;BR /&gt;5. The flattenJson parameter does not seem to be working at all.&amp;nbsp; I find references to it in the code, but if I put it into the search as a parameter Splunk does not recognize it as such, but it also does not treat it as a custom field either.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;As I said above, this add-on is great work, and literally the only things I could ask for "extra" are maybe xml parsing, and being able to perhaps pass URL parameters as an array.&lt;/P&gt;&lt;P&gt;EDIT:&lt;BR /&gt;A little more testing made me realize that a lot of my problems are specific to capitalization of the command parameters.&amp;nbsp; I've edited #3 above&lt;/P&gt;</description>
    <pubDate>Mon, 22 Jan 2024 14:46:59 GMT</pubDate>
    <dc:creator>K_Sukumar</dc:creator>
    <dc:date>2024-01-22T14:46:59Z</dc:date>
    <item>
      <title>PAVO Getwatchlist - nested array parsing and other woes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/PAVO-Getwatchlist-nested-array-parsing-and-other-woes/m-p/675053#M112994</link>
      <description>&lt;P&gt;Good day,&lt;/P&gt;&lt;P&gt;First I want to say that this add-on is an absolute lifesaver when it comes to getting structured data into Splunk, and if you ever put it up on GitHub please let me know - I'd be happy to contribute.&lt;/P&gt;&lt;P&gt;I have found a few minor issues.&amp;nbsp; I'll be using the following json in my examples:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;{"total":52145,"rows":
[
{"discoverable_guid":"94937859-A157-4C43-94AC-290172D50C4D","component_cpe":{"cpe23":"cpe:2.3:a:oracle:java_runtime_environment:1.8.0_381"},"cve":[]},
{"discoverable_guid":"2B933591-6192-4E42-9DFC-32C361D32208","component_cpe":{"cpe23":"cpe:2.3:a:oracle:jdk\\/sdk:1.8.0_201"},"cve":[]},
{"discoverable_guid":"DD854B8C-5900-518C-B8B6-096285936816","component_cpe":{"cpe23":"cpe:2.3:o:microsoft:windows_defender:4.18.1909.6"},"cve":[{"name":"CVE-2006-5270"},{"name":"CVE-2018-0986"},{"name":"CVE-2021-24092"},{"name":"CVE-2021-1647"},{"name":"CVE-2020-1170"},{"name":"CVE-2020-1163"},{"name":"CVE-2020-0835"},{"name":"CVE-2017-8558"},{"name":"CVE-2017-8541"},{"name":"CVE-2017-8540"},{"name":"CVE-2017-8538"},{"name":"CVE-2017-0290"},{"name":"CVE-2019-1255"},{"name":"CVE-2013-0078"},{"name":"CVE-2011-0037"},{"name":"CVE-2020-1461"},{"name":"CVE-2020-1002"},{"name":"CVE-2019-1161"},{"name":"CVE-2017-8542"},{"name":"CVE-2017-8539"},{"name":"CVE-2017-8537"},{"name":"CVE-2017-8536"},{"name":"CVE-2017-8535"},{"name":"CVE-2008-1438"},{"name":"CVE-2008-1437"}]},
{"discoverable_guid":"ADF7E72A-4A72-4D92-B278-F644E27EA88F","component_cpe":{"cpe23":"cpe:2.3:a:microsoft:.net_framework:4.8.04084"},"cve":[{"name":"CVE-2020-0646"},{"name":"CVE-2020-0606"},{"name":"CVE-2020-0605"},{"name":"CVE-2020-1147"},{"name":"CVE-2022-26832"},{"name":"CVE-2021-24111"},{"name":"CVE-2020-1108"},{"name":"CVE-2019-1083"},{"name":"CVE-2019-1006"},{"name":"CVE-2019-0981"},{"name":"CVE-2019-0980"},{"name":"CVE-2019-0820"},{"name":"CVE-2023-36873"},{"name":"CVE-2022-41064"},{"name":"CVE-2020-16937"},{"name":"CVE-2020-1476"},{"name":"CVE-2019-0864"},{"name":"CVE-2022-30130"}]},
{"discoverable_guid":"2B933591-6192-4E42-9DFC-32C361D32208","component_cpe":{"cpe23":"cpe:2.3:a:oracle:jdk\\/sdk:1.8.0_261"},"cve":[]}
]} &lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;1. There are certain cases where nested json is rendered in splunk with&amp;nbsp; single quotes (') instead of double-quotes("):&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="K_Sukumar_1-1705929951046.png" style="width: 531px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/29065i497A18255D037614/image-dimensions/531x239?v=v2" width="531" height="239" role="button" title="K_Sukumar_1-1705929951046.png" alt="K_Sukumar_1-1705929951046.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;which makes me have to use a&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;| rex mode=sed field=&amp;lt;field_with_nested_json&amp;gt; "s/\'/\"/g"&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;to make it compatible with spath.&lt;/P&gt;&lt;P&gt;&lt;STRIKE&gt;2. The "autoextract=0" option when pulling down json does&amp;nbsp;&lt;STRONG&gt;not&lt;/STRONG&gt; put the contents into a _raw field (as stated in your docs), but instead seems to do first-level extraction -&amp;nbsp;&lt;/STRIKE&gt;&lt;/P&gt;&lt;P&gt;&lt;STRIKE&gt;So a page that contains the following json:&amp;nbsp;&amp;nbsp;&lt;/STRIKE&gt;&amp;nbsp; EDIT - &lt;STRONG&gt;covered in #3 below&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Renders looking like this when I use getwatchlist json &amp;lt;url&amp;gt; autoextract=0&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="K_Sukumar_0-1705929552322.png" style="width: 598px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/29064iA0E286B5334F6E4F/image-dimensions/598x145?v=v2" width="598" height="145" role="button" title="K_Sukumar_0-1705929552322.png" alt="K_Sukumar_0-1705929552322.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;3.&amp;nbsp; &lt;STRIKE&gt;the "dataKey" parameter&lt;/STRIKE&gt;&amp;nbsp;All of the parameters seem to be case-sensitive - "dataKey=rows" produces correct content (below) vs "datakey=rows", which seems to ignore the parameter entirely&lt;/P&gt;&lt;P&gt;4. your docs don't seem to match the feature set or version in all places -&lt;/P&gt;&lt;TABLE border="1" width="100%"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="50%"&gt;Splunkbase "details" tab&lt;/TD&gt;&lt;TD width="50%"&gt;still refers to 1.3.2&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="50%"&gt;Add-on "About" tab (after install)&lt;/TD&gt;&lt;TD width="50%"&gt;refers to 1.3.3, but does not include details of the url parsing features that can only be found in your release notes on Splunkbase&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;&lt;SPAN&gt;&lt;BR /&gt;5. The flattenJson parameter does not seem to be working at all.&amp;nbsp; I find references to it in the code, but if I put it into the search as a parameter Splunk does not recognize it as such, but it also does not treat it as a custom field either.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;As I said above, this add-on is great work, and literally the only things I could ask for "extra" are maybe xml parsing, and being able to perhaps pass URL parameters as an array.&lt;/P&gt;&lt;P&gt;EDIT:&lt;BR /&gt;A little more testing made me realize that a lot of my problems are specific to capitalization of the command parameters.&amp;nbsp; I've edited #3 above&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jan 2024 14:46:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/PAVO-Getwatchlist-nested-array-parsing-and-other-woes/m-p/675053#M112994</guid>
      <dc:creator>K_Sukumar</dc:creator>
      <dc:date>2024-01-22T14:46:59Z</dc:date>
    </item>
  </channel>
</rss>

