topic Re: How to extract a heavily nested JSON data? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-heavily-nested-JSON-data/m-p/422743#M121391 <P>Have you used the <CODE>| spath</CODE> command to autoextract some of these values? This should do the majority of the work for you, but you may have to use <CODE>mvexpand</CODE> as well. Check out <CODE>spath</CODE> first though to see if it works for you.</P> Tue, 29 May 2018 19:40:13 GMT Justinboucher0 2018-05-29T19:40:13Z How to extract a heavily nested JSON data? https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-heavily-nested-JSON-data/m-p/422742#M121390 <P>Hey everyone,<BR /> I am very new to Splunk and many of the examples I see use relatively simple data. I am trying to extract certain fields for use in a mapping scheme. <BR /> Here is the JSON format below:</P> <PRE><CODE> "cve" : { "data_type" : "CVE", "data_format" : "MITRE", "data_version" : "4.0", "CVE_data_meta" : { "ID" : "CVE-1999-0986", "ASSIGNER" : "cve@mitre.org" }, "affects" : { "vendor" : { "vendor_data" : [ { "vendor_name" : "debian", "product" : { "product_data" : [ { "product_name" : "debian_linux", "version" : { "version_data" : [ { "version_value" : "2.1" } ] } } ] } }, { "vendor_name" : "linux", "product" : { "product_data" : [ { "product_name" : "linux_kernel", "version" : { "version_data" : [ { "version_value" : "2.0" }, { "version_value" : "2.0.34" }, { "version_value" : "2.0.35" }, { "version_value" : "2.0.36" }, { "version_value" : "2.0.37" }, { "version_value" : "2.0.38" } ] } } ] } }, { "vendor_name" : "redhat", "product" : { "product_data" : [ { "product_name" : "linux", "version" : { "version_data" : [ { "version_value" : "5.2" } ] } } ] } } ] } }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "en", "value" : "NVD-CWE-Other" } ] } ] }, "references" : { "reference_data" : [ { "url" : "http://www.securityfocus.com/bid/870", "name" : "870", "refsource" : "BID" } ] }, "description" : { "description_data" : [ { "lang" : "en", "value" : "The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option." } ] } }, "configurations" : { "CVE_data_version" : "4.0", "nodes" : [ { "operator" : "OR", "cpe" : [ { "vulnerable" : true, "cpe22Uri" : "cpe:/o:debian:debian_linux:2.1", "cpe23Uri" : "cpe:2.3:o:debian:debian_linux:2.1:*:*:*:*:*:*:*" }, { "vulnerable" : true, "cpe22Uri" : "cpe:/o:linux:linux_kernel:2.0", "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.0:*:*:*:*:*:*:*" }, { "vulnerable" : true, "cpe22Uri" : "cpe:/o:linux:linux_kernel:2.0.34", "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.0.34:*:*:*:*:*:*:*" }, { "vulnerable" : true, "cpe22Uri" : "cpe:/o:linux:linux_kernel:2.0.35", "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.0.35:*:*:*:*:*:*:*" }, { "vulnerable" : true, "cpe22Uri" : "cpe:/o:linux:linux_kernel:2.0.36", "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.0.36:*:*:*:*:*:*:*" }, { "vulnerable" : true, "cpe22Uri" : "cpe:/o:linux:linux_kernel:2.0.37", "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.0.37:*:*:*:*:*:*:*" }, { "vulnerable" : true, "cpe22Uri" : "cpe:/o:linux:linux_kernel:2.0.38", "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.0.38:*:*:*:*:*:*:*" }, { "vulnerable" : true, "cpe22Uri" : "cpe:/o:redhat:linux:5.2::i386", "cpe23Uri" : "cpe:2.3:o:redhat:linux:5.2:*:i386:*:*:*:*:*" } ] } ] }, "impact" : { "baseMetricV2" : { "cvssV2" : { "version" : "2.0", "vectorString" : "(AV:N/AC:L/Au:N/C:N/I:N/A:P)", "accessVector" : "NETWORK", "accessComplexity" : "LOW", "authentication" : "NONE", "confidentialityImpact" : "NONE", "integrityImpact" : "NONE", "availabilityImpact" : "PARTIAL", "baseScore" : 5.0 }, "severity" : "MEDIUM", "exploitabilityScore" : 10.0, "impactScore" : 2.9, "obtainAllPrivilege" : false, "obtainUserPrivilege" : false, "obtainOtherPrivilege" : false, "userInteractionRequired" : false } }, "publishedDate" : "1999-12-08T05:00Z", "lastModifiedDate" : "2008-09-09T12:36Z" } </CODE></PRE> <P>Essentially the data I am trying to group together would ideally look like this for example:</P> <PRE><CODE>vendor: debian product_name: debian_linux version_value:2.1 </CODE></PRE> <P>And to have this repeat in the case that there are additional versions, I've tried using mvexpand but this ends up with duplicates as well getting version_value for other products. Any insight would be much appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 May 2018 18:47:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-heavily-nested-JSON-data/m-p/422742#M121390 LunarLlama 2018-05-29T18:47:39Z Re: How to extract a heavily nested JSON data? https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-heavily-nested-JSON-data/m-p/422743#M121391 <P>Have you used the <CODE>| spath</CODE> command to autoextract some of these values? This should do the majority of the work for you, but you may have to use <CODE>mvexpand</CODE> as well. Check out <CODE>spath</CODE> first though to see if it works for you.</P> Tue, 29 May 2018 19:40:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-heavily-nested-JSON-data/m-p/422743#M121391 Justinboucher0 2018-05-29T19:40:13Z