Searching JSON data

danwollwich — Thu, 19 Dec 2013 09:14:20 GMT

Hi,

I'm trying to search some JSON data I've imported. Its of the format below.

{ "_id" : { "ip" : “192.1”68.1.1, "p" : 443, "h" : "d077c796eeddd46da45adfcd74116e2" }, "ip" : “192.168”.1.1, "port" : 443, "proto" : "tcp", "banner" : "HTTP/1.1 200 OK\r\nDate: Tue, 15 May 2012 05:30:04 GMT\r\n\nServer: Apache/2.2.15 (CentOS)\r\nLast-Modified: Mon, 24 Oct 2011 14:40\n:33 GMT\r\nETag: \"900cdb-38-4b00c67c36967\"\r\nAccept-Ranges: bytes\r\nC\nontent-Length: 56\r\nConnection: close\r\nContent-Type: text/html; char\nset=UTF-8\r\n\r\n\n

\n\n", "geo" : { "c" : "USA", "loc" : [ 38, -97 ] }, "name" : "https", "t" : { "$date" : 1337059668000 } }

I can do basic searches against things like the IP address but when i want to search for matching items such as the Server type, in this case Apache/2.2.15(CentOS) I seem to fall foul of some of the characters. How would i do matches for this type of data or others like Content Length? Trying to match on something that has a : on it seems to break the search term.

Thanks in advance

Dan

Re: Searching JSON data

MuS — Thu, 19 Dec 2013 09:21:18 GMT

hi danwollwich,

try the spath search command, it is a special search command for XML and JSON events. Find more information in the docs about spath.

hope this helps ...

cheers, MuS

topic Re: Searching JSON data in Getting Data In

Searching JSON data

Re: Searching JSON data