Re: How to extract the values from array?

mcohen13 · ‎03-18-2019

I have a field that his elements looks the following:

["bedep","banjori","gameover","dyre","suppobox","necurs","unknown","conficker","kraken","emotet","mirai","virut","ccleaner"]

How can I only extract the names of the threats with "" from the array on a different field?

kamlesh_vaghela · ‎03-18-2019

By using split:

| makeresults 
 | eval name="[\"bedep\",\"banjori\",\"gameover\",\"dyre\",\"suppobox\",\"necurs\",\"unknown\",\"conficker\",\"kraken\",\"emotet\",\"mirai\",\"virut\",\"ccleaner\"]"
 | eval new_name = name
 | rex field=new_name mode=sed "s/\[|\]|\"//g"
 | eval new_name = split(new_name,",")

woodcock · ‎03-18-2019

Like this:

| makeresults 
| eval name="[\"bedep\",\"banjori\",\"gameover\",\"dyre\",\"suppobox\",\"necurs\",\"unknown\",\"conficker\",\"kraken\",\"emotet\",\"mirai\",\"virut\",\"ccleaner\"]"
| eval new_name = name
| rex field=new_name mode=sed "s/[\[\]]//g"
| makemv delim="," new_name
| rex field=new_name mode=sed "s/\"//g"

vnravikumar · ‎03-18-2019

Hi

Try this

| makeresults 
| eval name="[\"bedep\",\"banjori\",\"gameover\",\"dyre\",\"suppobox\",\"necurs\",\"unknown\",\"conficker\",\"kraken\",\"emotet\",\"mirai\",\"virut\",\"ccleaner\"]" 
| eval result = replace(name, "\[|\]|\"","") 
| makemv delim="," result

How to extract the values from array?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

How to extract the values from array?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?