topic How to search in a JSON array of hashes? in Splunk Search

How to search in a JSON array of hashes?

jselvi — Tue, 29 Sep 2020 09:55:38 GMT

I have a JSON entry as follows:

{ [-] 
        name:  change_user_access 
        parameters: [ [-] 
         { [+] 
         } 
         { [-] 
            name:  target_user 
            value:  me@corp.com 
         } 
         { [+] 
         } 
         { [+] 
         } 
         { [-] 
            name:  owner 
            value:  peter@corp.com 
         } 
         { [+] 
         } 
         { [+] 
         } 
         { [+] 
         } 
       ]

I'm trying to find a way to get only those events where:

name == "change_user_access"
owner == "*@corp.com"
target_user != "*@corp.com"

The problem is that I don't know how to request something like: 'if name="owner" and value="*@corp.com" in the same hash'.
Any ideas?

Re: How to search in a JSON array of hashes?

axl88 — Thu, 09 Jun 2016 13:51:23 GMT

to be clear, do you wanna index only events with these fields or this is already indexed and you want to extract events that has these values?

Re: How to search in a JSON array of hashes?

jselvi — Thu, 09 Jun 2016 13:54:39 GMT

This is already indexed. I want to extract those events and create an alert.

Re: How to search in a JSON array of hashes?

javiergn — Thu, 09 Jun 2016 14:02:16 GMT

See if the following helps. Please note I'm assuming you have separated events. If that's not the case please provide more information about your JSON.

| stats count | fields - count
| eval _raw = "{ [-] 
         name:  change_user_access 
         parameters: [ [-] 
          { [+] 
          } 
          { [-] 
             name:  target_user 
             value:  me@corp.com 
          } 
          { [+] 
          } 
          { [+] 
          } 
          { [-] 
             name:  owner 
             value:  peter@corp.com 
          } 
          { [+] 
          } 
          { [+] 
          } 
          { [+] 
          } 
        ] "
| regex _raw = "(?msi)name:  change_user_access.+name:  owner \s+value:  peter@corp.com"
| regex _raw != "(?msi)name:  target_user \s+value:  [^\s@]+@corp.com"

EDIT
Worst case simply extract your JSON with spath and filter with search or where afterwards.

Re: How to search in a JSON array of hashes?

axl88 — Tue, 29 Sep 2020 09:55:41 GMT

I do these type of alerting via field-extractions feature. I write my regex for each field I want to extract and use these fields for alert conditionals. Moreover, it is easier to maintain since all your extractions are saved in settings. Also, I personally don't like having lines of command in my Splunk searches.

1) in extracted field write your regex with lookahead/lookbehind and name it with appropriate name. in your case, you should look for existence of change_user_access then look for other fields extracted. Your regex should look like:

(?:Name\s\:)(?P<top_in_hierarcy>[^\-]+?)(?=\nParameters)

2) then you should do the similar for other fields you want to extract.
3) when setting up alert, add top_in_hierarcy field above to your search as "top_in_hierarcy=change_user_access" . It will bring only those events and you can work easier with details using other splunk features as well as regex.