<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Json field parsing in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475533#M81633</link>
    <description>&lt;P&gt;&lt;CODE&gt;spath&lt;/CODE&gt;, &lt;CODE&gt;props.conf&lt;/CODE&gt; 's JSON extract is like this.&lt;BR /&gt;
It is inevitable.&lt;/P&gt;</description>
    <pubDate>Wed, 15 Jan 2020 12:48:52 GMT</pubDate>
    <dc:creator>to4kawa</dc:creator>
    <dc:date>2020-01-15T12:48:52Z</dc:date>
    <item>
      <title>Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475525#M81625</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;We are getting the aws macie events as _json souretype, due to multiple loops there is a problem in fields extraction. I have give the screenshots below, red oval should be the field name and green oval should be valued.&lt;/P&gt;

&lt;P&gt;for example the field name is &lt;STRONG&gt;detail.summary events.createtags.isp amazon&lt;/STRONG&gt; and value is 436, but we need to field name till ISP and value to be amazon. &lt;/P&gt;

&lt;P&gt;Please let me know how to get it gone through props and transforms&lt;/P&gt;

&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/8150iE920BE5CA8444592/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/8151i8E9519660A815CE6/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 06 Jan 2020 13:04:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475525#M81625</guid>
      <dc:creator>martinnepolean</dc:creator>
      <dc:date>2020-01-06T13:04:40Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475526#M81626</link>
      <description>&lt;P&gt;@martinnepolean &lt;BR /&gt;
Can you please share sample &lt;CODE&gt;_raw&lt;/CODE&gt; events and expected output? &lt;/P&gt;</description>
      <pubDate>Tue, 07 Jan 2020 05:35:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475526#M81626</guid>
      <dc:creator>kamlesh_vaghela</dc:creator>
      <dc:date>2020-01-07T05:35:22Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475527#M81627</link>
      <description>&lt;P&gt;{"version":"0","id":"2561455-c673-0hy6-673b-447895415","detail-type":"Macie Alert","source":"aws.macie","account":"123456789","time":"2020-01-07T10:46:36Z","region":"us-east-1","resources":["arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7/alert/014f2161de2fffc59dd5d2cdf81a73fb","arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7"],"detail":{"notification-type":"ALERT_UPDATED","tags":["Suspicious Access","Basic Alert"],"name":"Access Denied to IAM user while attempting to get an AWS S3 Object from outside of AWS","severity":"LOW","url":"&lt;A href="https://mt.us-east-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aus-east-1%3A123456789%3Atrigger%2F0c54ddb4cd37e6b8316ecdc1ba4ae3b7%2Falert%2F014f2161de2fffc59dd5d2cdf81a73fb%22,%22alert-arn%22:%22arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7/alert/014f2161de2fffc59dd5d2cdf81a73fb%22,%22risk-score%22:3,%22updated-at%22:%222020-01-07T10:46:36.136911%22,%22created-at%22:%222020-01-07T00:46:35.139000+00:00%22,%22actor%22:%22321404829113:anonymous_principal%22,%22summary%22:%7B%22Description%22:%22Access" target="_blank"&gt;https://mt.us-east-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aus-east-1%3A123456789%3Atrigger%2F0c54ddb4cd37e6b8316ecdc1ba4ae3b7%2Falert%2F014f2161de2fffc59dd5d2cdf81a73fb","alert-arn":"arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7/alert/014f2161de2fffc59dd5d2cdf81a73fb","risk-score":3,"updated-at":"2020-01-07T10:46:36.136911","created-at":"2020-01-07T00:46:35.139000+00:00","actor":"321404829113:anonymous_principal","summary":{"Description":"Access&lt;/A&gt; Denied error to IAM user while attempting to get an AWS S3 Object from and IP address outside of AWS. This could be an indication of attempted access to restricted content","IP":{"216.20.176.6":1,"216.20.176.5":1,"216.20.176.4":2,"216.20.176.2":3},"Time Range":[{"count":3,"start":"2020-01-07T00:29:44Z","end":"2020-01-07T00:29:47Z"},{"count":1,"start":"2020-01-07T10:06:11Z","end":"2020-01-07T10:06:11Z"},{"count":1,"start":"2020-01-07T07:51:59Z","end":"2020-01-07T07:51:59Z"},{"count":1,"start":"2020-01-07T10:19:18Z","end":"2020-01-07T10:19:18Z"},{"count":1,"start":"2020-01-07T10:24:37Z","end":"2020-01-07T10:24:37Z"}],"Record Count":5,"Location":{"us-east-1":7},"Event Count":7,"Events":{"GetObject":{"count":5,"ISP":{"Company":5},"Error Code":{"AccessDenied":5}},"ListObjects":{"count":2,"ISP":{"Company":2},"Error Code":{"AccessDenied":2}}},"recipientAccountId":{"321404829113":7}},"trigger":{"rule-arn":"arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7","alert-type":"basic","created-at":"2019-12-19 09:32:37.931000+00:00","description":"Access Denied error to IAM user while attempting to get an AWS S3 Object from and IP address outside of AWS. This could be an indication of attempted access to restricted content","risk":3}}}&lt;/P&gt;

&lt;P&gt;I like to have &lt;STRONG&gt;error code&lt;/STRONG&gt; as an field and &lt;STRONG&gt;AccessDenied&lt;/STRONG&gt; as value which is not showing up now. and like to tag all IP addresses under &lt;STRONG&gt;IP&lt;/STRONG&gt; field name.&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 03:32:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475527#M81627</guid>
      <dc:creator>martinnepolean</dc:creator>
      <dc:date>2020-09-30T03:32:21Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475528#M81628</link>
      <description>&lt;PRE&gt;&lt;CODE&gt;| makeresults 
| eval _raw="{\"version\":\"0\",\"id\":\"2561455-c673-0hy6-673b-447895415\",\"detail-type\":\"Macie Alert\",\"source\":\"aws.macie\",\"account\":\"123456789\",\"time\":\"2020-01-07T10:46:36Z\",\"region\":\"us-east-1\",\"resources\":[\"arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7/alert/014f2161de2fffc59dd5d2cdf81a73fb\",\"arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7\"],\"detail\":{\"notification-type\":\"ALERT_UPDATED\",\"tags\":[\"Suspicious Access\",\"Basic Alert\"],\"name\":\"Access Denied to IAM user while attempting to get an AWS S3 Object from outside of AWS\",\"severity\":\"LOW\",\"url\":\"https://mt.us-east-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aus-east-1%3A123456789%3Atrigger%2F0c54ddb4cd37e6b8316ecdc1ba4ae3b7%2Falert%2F014f2161de2fffc59dd5d2cdf81a73fb\",\"alert-arn\":\"arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7/alert/014f2161de2fffc59dd5d2cdf81a73fb\",\"risk-score\":3,\"updated-at\":\"2020-01-07T10:46:36.136911\",\"created-at\":\"2020-01-07T00:46:35.139000+00:00\",\"actor\":\"321404829113:anonymous_principal\",\"summary\":{\"Description\":\"Access Denied error to IAM user while attempting to get an AWS S3 Object from and IP address outside of AWS. This could be an indication of attempted access to restricted content\",\"IP\":{\"216.20.176.6\":1,\"216.20.176.5\":1,\"216.20.176.4\":2,\"216.20.176.2\":3},\"Time Range\":[{\"count\":3,\"start\":\"2020-01-07T00:29:44Z\",\"end\":\"2020-01-07T00:29:47Z\"},{\"count\":1,\"start\":\"2020-01-07T10:06:11Z\",\"end\":\"2020-01-07T10:06:11Z\"},{\"count\":1,\"start\":\"2020-01-07T07:51:59Z\",\"end\":\"2020-01-07T07:51:59Z\"},{\"count\":1,\"start\":\"2020-01-07T10:19:18Z\",\"end\":\"2020-01-07T10:19:18Z\"},{\"count\":1,\"start\":\"2020-01-07T10:24:37Z\",\"end\":\"2020-01-07T10:24:37Z\"}],\"Record Count\":5,\"Location\":{\"us-east-1\":7},\"Event Count\":7,\"Events\":{\"GetObject\":{\"count\":5,\"ISP\":{\"Company\":5},\"Error Code\":{\"AccessDenied\":5}},\"ListObjects\":{\"count\":2,\"ISP\":{\"Company\":2},\"Error Code\":{\"AccessDenied\":2}}},\"recipientAccountId\":{\"321404829113\":7}},\"trigger\":{\"rule-arn\":\"arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7\",\"alert-type\":\"basic\",\"created-at\":\"2019-12-19 09:32:37.931000+00:00\",\"description\":\"Access Denied error to IAM user while attempting to get an AWS S3 Object from and IP address outside of AWS. This could be an indication of attempted access to restricted content\",\"risk\":3}}}"
| eval ErrorCode=spath(_raw,"detail.summary.Events.GetObject.Error Code")
| eval IP=spath(_raw,"detail.summary.IP")
| rex field=ErrorCode "(?&amp;lt;ErrorCode&amp;gt;\w+)"
| rex field=IP max_match=20 "(?&amp;lt;IP&amp;gt;(?&amp;lt;=\")[\w.]+)"
| fields - _*
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Hi, @martinnepolean&lt;BR /&gt;
The fields for the first question are missing, is this OK?&lt;/P&gt;</description>
      <pubDate>Tue, 07 Jan 2020 12:04:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475528#M81628</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-01-07T12:04:57Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475529#M81629</link>
      <description>&lt;P&gt;I am looking to get all fields  not only errorcode and IP. any help? &lt;/P&gt;</description>
      <pubDate>Fri, 10 Jan 2020 11:53:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475529#M81629</guid>
      <dc:creator>martinnepolean</dc:creator>
      <dc:date>2020-01-10T11:53:22Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475530#M81630</link>
      <description>&lt;P&gt;your sample doesn't have &lt;EM&gt;detail.summary events.createtags.isp&lt;/EM&gt;&lt;BR /&gt;
you say &lt;CODE&gt;all fields&lt;/CODE&gt;. which?&lt;BR /&gt;
Apparently the fields have been extracted.&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jan 2020 12:07:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475530#M81630</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-01-10T12:07:58Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475531#M81631</link>
      <description>&lt;P&gt;@martinnepolean&lt;/P&gt;

&lt;P&gt;Can you please share your expected output from the sample you have shared?&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jan 2020 12:18:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475531#M81631</guid>
      <dc:creator>kamlesh_vaghela</dc:creator>
      <dc:date>2020-01-10T12:18:29Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475532#M81632</link>
      <description>&lt;P&gt;Hi Kamlesh,&lt;/P&gt;

&lt;P&gt;One of the example to show how the field extraction happens, currently we are getting like below one&lt;/P&gt;

&lt;P&gt;Detail.Summary.Events.GetObject.Error Code.AccessDenied=2&lt;/P&gt;

&lt;P&gt;But we like to extract it as &lt;BR /&gt;
Detail.Summary.Events.GetObject.Error Code = AccessDenied&lt;/P&gt;

&lt;P&gt;and Below is the list of fields I am looking for from the above event shared. &lt;/P&gt;

&lt;P&gt;version=0&lt;BR /&gt;
id=2561455-c673-0hy6-673b-447895415&lt;BR /&gt;
detail-type=Maciealert&lt;BR /&gt;
source=aws.macie&lt;BR /&gt;
account=123456789&lt;BR /&gt;
time=2020-01-07T10:46:36Z&lt;BR /&gt;
region=us-east-1&lt;BR /&gt;
resources=arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7/alert/014f2161de2fffc59dd5d2cdf81a73fb","arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7"&lt;BR /&gt;
detail.notification-type=ALERT_UPDATED&lt;BR /&gt;
tags=Suspicious Access,Basic Alert&lt;BR /&gt;
name=Access Denied to IAM user while attempting to get an AWS S3 Object from outside of AWS"&lt;BR /&gt;
severity=LOW&lt;BR /&gt;
url=&lt;A href="https://mt.us-east-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aus-east-1%3A123456789%3Atrigger%2F0c54ddb4cd37e6b8316ecdc1ba4ae3b7%2Falert%2F014f2161de2fffc59dd5d2cdf81a73fb" target="_blank"&gt;https://mt.us-east-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aus-east-1%3A123456789%3Atrigger%2F0c54ddb4cd37e6b8316ecdc1ba4ae3b7%2Falert%2F014f2161de2fffc59dd5d2cdf81a73fb&lt;/A&gt;&lt;BR /&gt;
alert-arn=arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7/alert/014f2161de2fffc59dd5d2cdf81a73fb&lt;BR /&gt;
risk-score=3&lt;BR /&gt;
updated-at=2020-01-07T10:46:36.136911&lt;BR /&gt;
created-at=2020-01-07T00:46:35.139000+00:00&lt;BR /&gt;
actor=321404829113:anonymous_principal&lt;BR /&gt;
summary.Description=Access Denied error to IAM user while attempting to get an AWS S3 Object from and IP address outside of AWS. This could be an indication of attempted access to restricted content&lt;BR /&gt;
IP=216.20.176.6,216.20.176.5,216.20.176.4,216.20.176.2&lt;BR /&gt;
TimeRange="start":"2020-01-07T00:29:44Z","end":"2020-01-07T00:29:47Z","start":"2020-01-07T10:06:11Z","end":"2020-01-07T10:06:11Z","start":"2020-01-07T07:51:59Z","end":"2020-01-07T07:51:59Z","start":"2020-01-07T10:19:18Z","end":"2020-01-07T10:19:18Z","start":"2020-01-07T10:24:37Z","end":"2020-01-07T10:24:37Z"&lt;BR /&gt;
Location="us-east-1&lt;BR /&gt;
Event Count=7&lt;BR /&gt;
Events.GetObject.count=5&lt;BR /&gt;
Events.GetObject.ISP=Company&lt;BR /&gt;
Events.GetObject.Error Code=AccessDenied&lt;BR /&gt;
Events.ListObjects.count=2&lt;BR /&gt;
Events.ListObjects.ISP=Company&lt;BR /&gt;
Events.ListObjects.Error Code=AccessDenied&lt;BR /&gt;
recipientAccountId=321404829113&lt;BR /&gt;
trigger.rule-arn=arn:aws:macie:us-east-1:123456789:trigger/0c54ddb4cd37e6b8316ecdc1ba4ae3b7"&lt;BR /&gt;
trigger.alert-type=basic&lt;BR /&gt;
trigger.created-at=2019-12-19 09:32:37.931000+00:00&lt;BR /&gt;
trigger.description=Access Denied error to IAM user while attempting to get an AWS S3 Object from and IP address outside of AWS. This could be an indication of attempted access to restricted content&lt;BR /&gt;
trigger.risk=3&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 03:39:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475532#M81632</guid>
      <dc:creator>martinnepolean</dc:creator>
      <dc:date>2020-09-30T03:39:46Z</dc:date>
    </item>
    <item>
      <title>Re: Json field parsing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475533#M81633</link>
      <description>&lt;P&gt;&lt;CODE&gt;spath&lt;/CODE&gt;, &lt;CODE&gt;props.conf&lt;/CODE&gt; 's JSON extract is like this.&lt;BR /&gt;
It is inevitable.&lt;/P&gt;</description>
      <pubDate>Wed, 15 Jan 2020 12:48:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Json-field-parsing/m-p/475533#M81633</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-01-15T12:48:52Z</dc:date>
    </item>
  </channel>
</rss>

