https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151187#M30765 <P>You need a two-step approach:</P> <PRE><CODE>... | spath vulnerable_hosts{} output=vulnerable_hosts | mvexpand vulnerable_hosts | spath input=vulnerable_hosts </CODE></PRE> <P>First you extract the objects inside the <CODE>vulnerable_hosts</CODE> array, then you turn them into individual events, finally you extract the content of those objects.</P> Fri, 31 Jul 2015 23:23:57 GMT martin_mueller 2015-07-31T23:23:57Z https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151186#M30764 <P>I am pulling in some json events that are poorly structured (at least for my needs). Specifically, I need to be able to tie the VULNS data to its ip address, which is above it. But since they are not nested, splunk is not able to make the connection. Is there any way to tie the IP address to the data below it or readjust the nesting of the event in a search?</P> <P>Example data below</P> <PRE><CODE>vulnerable_hosts: [ [-] { [-] ip_address: xxx.xxx.xxx.xxx vulns: [ [-] { [-] risk_level: High service_port: 443 service_protocol: TCP title: SSL/TLS server supports RC4 ciphers } { [-] risk_level: Medium service_port: 80 service_protocol: TCP title: TCP timestamp requests enabled } { [-] risk_level: Medium service_port: 443 service_protocol: TCP title: SSL certificate is signed with weak hash function: SHA1 } ] } { [-] ip_address: yyy.yyy.yyy.yyy vulns: [ [-] { [-] risk_level: Urgent service_port: 161 service_protocol: UDP title: SNMP is enabled and may be vulnerable } { [-] risk_level: Low service_port: 0 service_protocol: ICMP title: ICMP timestamp requests enabled } ] </CODE></PRE> Fri, 31 Jul 2015 22:51:10 GMT https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151186#M30764 david_rose 2015-07-31T22:51:10Z https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151187#M30765 <P>You need a two-step approach:</P> <PRE><CODE>... | spath vulnerable_hosts{} output=vulnerable_hosts | mvexpand vulnerable_hosts | spath input=vulnerable_hosts </CODE></PRE> <P>First you extract the objects inside the <CODE>vulnerable_hosts</CODE> array, then you turn them into individual events, finally you extract the content of those objects.</P> Fri, 31 Jul 2015 23:23:57 GMT https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151187#M30765 martin_mueller 2015-07-31T23:23:57Z https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151188#M30766 <P>Thanks Martin. But with this method, how can I connect the vulnerability to the the correct ip ?</P> Mon, 03 Aug 2015 14:05:32 GMT https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151188#M30766 david_rose 2015-08-03T14:05:32Z https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151189#M30767 <P>Ignore that, it was there, just not presented in the events. You rock!</P> Mon, 03 Aug 2015 15:21:47 GMT https://community.splunk.com/t5/Getting-Data-In/Dealing-with-badly-structured-json-events/m-p/151189#M30767 david_rose 2015-08-03T15:21:47Z