topic Splunk searching nested json in Splunk Search https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399610#M115840 <P>Hello<BR /> I use automatic translation because I am not good at English. sorry.</P> <P>I took NVD 's CVE list (Json Feed) into Splunk.<BR /> That's index="testIndex" product_name = "openssl" "version_data" = "1.6.0" Searching with<BR /> There is no "1.6.0" in the version of openssl</P> <P>I want to link product with version but it does not work as expected.<BR /> I can't get spath or mvexpand to extract the nested arrays properly<BR /> Someone help me.</P> <PRE><CODE> { "cve" : { "CVE_data_meta" : { "ID" : "CVE-2013-0169", "ASSIGNER" : "cve@mitre.org" }, "affects" : { "vendor" : { "vendor_data" : [ { "vendor_name" : "openssl", "product" : { "product_data" : [ { "product_name" : "openssl", "version" : { "version_data" : [ { "version_value" : "*" }, { "version_value" : "0.9.8" }, { "version_value" : "0.9.8a" }, { "version_value" : "0.9.8b" }, { "version_value" : "0.9.8c" }, { "version_value" : "0.9.8d" }, { "version_value" : "0.9.8f" }, { "version_value" : "0.9.8g" } ] } } ] } }, { "vendor_name" : "oracle", "product" : { "product_data" : [ { "product_name" : "openjdk", "version" : { "version_data" : [ { "version_value" : "-" }, { "version_value" : "1.6.0" }, { "version_value" : "1.7.0" } ] } } ] } }, { "vendor_name" : "polarssl", "product" : { "product_data" : [ { "product_name" : "polarssl", "version" : { "version_data" : [ { "version_value" : "0.10.0" }, { "version_value" : "0.10.1" }, { "version_value" : "0.11.0" } ] } } ] } } ] } } }, "publishedDate" : "2013-02-08T19:55Z", "lastModifiedDate" : "2018-08-09T01:29Z" } </CODE></PRE> Tue, 29 Sep 2020 20:50:56 GMT blaku 2020-09-29T20:50:56Z Splunk searching nested json https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399610#M115840 <P>Hello<BR /> I use automatic translation because I am not good at English. sorry.</P> <P>I took NVD 's CVE list (Json Feed) into Splunk.<BR /> That's index="testIndex" product_name = "openssl" "version_data" = "1.6.0" Searching with<BR /> There is no "1.6.0" in the version of openssl</P> <P>I want to link product with version but it does not work as expected.<BR /> I can't get spath or mvexpand to extract the nested arrays properly<BR /> Someone help me.</P> <PRE><CODE> { "cve" : { "CVE_data_meta" : { "ID" : "CVE-2013-0169", "ASSIGNER" : "cve@mitre.org" }, "affects" : { "vendor" : { "vendor_data" : [ { "vendor_name" : "openssl", "product" : { "product_data" : [ { "product_name" : "openssl", "version" : { "version_data" : [ { "version_value" : "*" }, { "version_value" : "0.9.8" }, { "version_value" : "0.9.8a" }, { "version_value" : "0.9.8b" }, { "version_value" : "0.9.8c" }, { "version_value" : "0.9.8d" }, { "version_value" : "0.9.8f" }, { "version_value" : "0.9.8g" } ] } } ] } }, { "vendor_name" : "oracle", "product" : { "product_data" : [ { "product_name" : "openjdk", "version" : { "version_data" : [ { "version_value" : "-" }, { "version_value" : "1.6.0" }, { "version_value" : "1.7.0" } ] } } ] } }, { "vendor_name" : "polarssl", "product" : { "product_data" : [ { "product_name" : "polarssl", "version" : { "version_data" : [ { "version_value" : "0.10.0" }, { "version_value" : "0.10.1" }, { "version_value" : "0.11.0" } ] } } ] } } ] } } }, "publishedDate" : "2013-02-08T19:55Z", "lastModifiedDate" : "2018-08-09T01:29Z" } </CODE></PRE> Tue, 29 Sep 2020 20:50:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399610#M115840 blaku 2020-09-29T20:50:56Z Re: Splunk searching nested json https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399611#M115841 <P>@blaku,</P> <P>Try</P> <PRE><CODE>|makeresults |eval json=" { \"cve\" : { \"CVE_data_meta\" : { \"ID\" : \"CVE-2013-0169\", \"ASSIGNER\" : \"cve@mitre.org\" }, \"affects\" : { \"vendor\" : { \"vendor_data\" : [ { \"vendor_name\" : \"openssl\", \"product\" : { \"product_data\" : [ { \"product_name\" : \"openssl\", \"version\" : { \"version_data\" : [ { \"version_value\" : \"*\" }, { \"version_value\" : \"0.9.8\" }, { \"version_value\" : \"0.9.8a\" }, { \"version_value\" : \"0.9.8b\" }, { \"version_value\" : \"0.9.8c\" }, { \"version_value\" : \"0.9.8d\" }, { \"version_value\" : \"0.9.8f\" }, { \"version_value\" : \"0.9.8g\" } ] } } ] } }, { \"vendor_name\" : \"oracle\", \"product\" : { \"product_data\" : [ { \"product_name\" : \"openjdk\", \"version\" : { \"version_data\" : [ { \"version_value\" : \"-\" }, { \"version_value\" : \"1.6.0\" }, { \"version_value\" : \"1.7.0\" } ] } } ] } }, { \"vendor_name\" : \"polarssl\", \"product\" : { \"product_data\" : [ { \"product_name\" : \"polarssl\", \"version\" : { \"version_data\" : [ { \"version_value\" : \"0.10.0\" }, { \"version_value\" : \"0.10.1\" }, { \"version_value\" : \"0.11.0\" } ] } } ] } } ] } } }, \"publishedDate\" : \"2013-02-08T19:55Z\", \"lastModifiedDate\" : \"2018-08-09T01:29Z\" }" |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version |eval z=mvzip(product_name,version,"#")|table z| mvexpand z |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version |spath input=Version output=Versions path=version_data{}.version_value |table Product,Versions |mvexpand Versions </CODE></PRE> Sun, 12 Aug 2018 08:11:41 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399611#M115841 renjith_nair 2018-08-12T08:11:41Z Re: Splunk searching nested json https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399612#M115842 <P>Hi,</P> <P>Map JSON logs to _json sourcetype. </P> <P>In the props.conf file create stanza like below.</P> <P>[_json]<BR /> KV_MODE= json</P> <P>It will extract fields. So don't need to search nested json files. Just search fields you require. </P> Tue, 29 Sep 2020 20:54:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399612#M115842 afroz 2020-09-29T20:54:13Z Re: Splunk searching nested json https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399613#M115843 <P>@renjith.nair<BR /> Hi<BR /> When I tried it worked without problem.<BR /> It is movement as expected.<BR /> Thank you very much</P> Wed, 15 Aug 2018 04:23:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399613#M115843 blaku 2018-08-15T04:23:19Z Re: Splunk searching nested json https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399614#M115844 <P>Here is another solution, but this one does not need mvzip, split or mvindex:</P> <PRE><CODE>|makeresults |eval json=" { \"cve\" : { \"CVE_data_meta\" : { \"ID\" : \"CVE-2013-0169\", \"ASSIGNER\" : \"cve@mitre.org\" }, \"affects\" : { \"vendor\" : { \"vendor_data\" : [ { \"vendor_name\" : \"openssl\", \"product\" : { \"product_data\" : [ { \"product_name\" : \"openssl\", \"version\" : { \"version_data\" : [ { \"version_value\" : \"*\" }, { \"version_value\" : \"0.9.8\" }, { \"version_value\" : \"0.9.8a\" }, { \"version_value\" : \"0.9.8b\" }, { \"version_value\" : \"0.9.8c\" }, { \"version_value\" : \"0.9.8d\" }, { \"version_value\" : \"0.9.8f\" }, { \"version_value\" : \"0.9.8g\" } ] } } ] } }, { \"vendor_name\" : \"oracle\", \"product\" : { \"product_data\" : [ { \"product_name\" : \"openjdk\", \"version\" : { \"version_data\" : [ { \"version_value\" : \"-\" }, { \"version_value\" : \"1.6.0\" }, { \"version_value\" : \"1.7.0\" } ] } } ] } }, { \"vendor_name\" : \"polarssl\", \"product\" : { \"product_data\" : [ { \"product_name\" : \"polarssl\", \"version\" : { \"version_data\" : [ { \"version_value\" : \"0.10.0\" }, { \"version_value\" : \"0.10.1\" }, { \"version_value\" : \"0.11.0\" } ] } } ] } } ] } } }, \"publishedDate\" : \"2013-02-08T19:55Z\", \"lastModifiedDate\" : \"2018-08-09T01:29Z\" }" |spath input=json output=product_data path=cve.affects.vendor.vendor_data{}.product{}.product_data{} |mvexpand product_data |spath input=product_data path=product_name |spath input=product_data output=version path=version.version_data{}.version_value |mvexpand version |table product_name, version </CODE></PRE> Wed, 04 Dec 2019 20:39:02 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399614#M115844 vmacedo 2019-12-04T20:39:02Z Re: Splunk searching nested json https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399615#M115845 <P>Great! thank you</P> Thu, 05 Dec 2019 13:38:18 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searching-nested-json/m-p/399615#M115845 to4kawa 2019-12-05T13:38:18Z