topic Re: parsing json and sending as search command in Splunk Search

parsing json and sending as search command

CorpusCallosum — Mon, 07 Jul 2014 19:16:04 GMT

Hi Guys

I have a json with 75 elements. Normally i can put them in macro and run in search but that means 75 macro search which is not efficient.

I would like to parse json data rule, description, tags and impact values from json file and use those as search

Sample JSON is below

{
 "filters":{
  "filter":[
   {
    "id":"1",
    "rule":"(?:\"[^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\")",
    "description":"Finds html breaking injections including whitespace attacks",
    "tags":{
      "tag":[
        "xss",
        "csrf"
      ]
    },
    "impact":"4"
  },

What would be the efficient way to use thos element in search?

Thanks in advance

Re: parsing json and sending as search command

somesoni2 — Mon, 07 Jul 2014 19:50:35 GMT

can you share how you're parsing them in macro?

Re: parsing json and sending as search command

CorpusCallosum — Mon, 07 Jul 2014 20:04:29 GMT

macro i manually copy paste the regex and description. nothing special 🙂

Re: parsing json and sending as search command

dshpritz — Mon, 07 Jul 2014 20:23:02 GMT

There are two things you might want to look into. If the whole event is JSON, then you should look into the KV_MODE = json configuration in props.conf:

http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Propsconf

If this is the value of a field, then you can look into the spath command:

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Spath

Re: parsing json and sending as search command

CorpusCallosum — Tue, 08 Jul 2014 05:02:28 GMT

this JSON file is actually kind of search db for me. not the list of events. My logs are in syslog format. i just want to parse this json and search in the logs.