Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract Json from a log

gcusello
SplunkTrust
SplunkTrust
‎04-03-2020 08:02 AM

Hi at all,
I'm finding problems extracting fields from a json log using spath, I cannot use regexes because I have to use these fields in the Zimperium App Datamodel.
I already extracted json, but I don't know why I'm finding problems.

This is a sample:

<14>1 04 02 2020 17:02:22 UTC zconsole-xxxxxxxxxx-xxx44 {"system_token": "company-uat", "severity": 1, "event_id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "forensics": {"zdid": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "event_id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "os": 1, "attack_time": {"$date": 1585846942000}, "general": [{"name": "Threat Type", "val": "DORMANT"}, {"name": "Action Triggered", "val": ""}], "threat_uuid": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "type": 100}, "mitigated": false, "location": null, "eventtimestamp": "04 02 2020 17:02:22 UTC", "user_info": {"employee_name": "User03 Test", "user_id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "user_role": "End User", "user_email": "test.user03@company.com", "user_group": "__MTD_UAT"}, "device_info": {"tag1": "", "device_time": "03 30 2020 17:01:31 UTC", "app_version": "10.5.1.0.52R", "zdid": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "tag2": "", "os": "Android", "app": "MobileIron", "jailbroken": false, "operator": null, "os_version": "9", "mdm_id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "imei": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "model": "SM-A530F", "device_id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "type": "jackpotltexx", "zapp_instance_id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx"}, "threat": {"story": "Inactive Device", "name": "Inactive Device", "general": {"action_triggered": "", "threat_type": "DORMANT"}}}

if I use the spath command I have an additional field called "14" containing all the event.

Problems started from the ingestion, because this log isn't recognized al json the guided ingestion.

Can anyone give me an idea how to do this?

Thank you in advance.

Ciao.
Giuseppe

Tags (2)
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-03-2020 08:21 AM

I reached to extract json using a regex:

index="mtd" sourcetype="mtd" 
| rex "[^\{]*(?<all>.*)"
| spath input=all

But i cannot use this search in Datamodel.

Ciao.
Giuseppe

0 Karma
Reply

to4kawa
Ultra Champion
‎04-03-2020 04:35 PM 
| makeresults
| eval _raw="<14>1 04 02 2020 17:02:22 UTC zconsole-xxxxxxxxxx-xxx44 {\"system_token\": \"company-uat\", \"severity\": 1, \"event_id\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"forensics\": {\"zdid\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"event_id\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"os\": 1, \"attack_time\": {\"$date\": 1585846942000}, \"general\": [{\"name\": \"Threat Type\", \"val\": \"DORMANT\"}, {\"name\": \"Action Triggered\", \"val\": \"\"}], \"threat_uuid\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"type\": 100}, \"mitigated\": false, \"location\": null, \"eventtimestamp\": \"04 02 2020 17:02:22 UTC\", \"user_info\": {\"employee_name\": \"User03 Test\", \"user_id\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"user_role\": \"End User\", \"user_email\": \"test.user03@company.com\", \"user_group\": \"__MTD_UAT\"}, \"device_info\": {\"tag1\": \"\", \"device_time\": \"03 30 2020 17:01:31 UTC\", \"app_version\": \"10.5.1.0.52R\", \"zdid\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"tag2\": \"\", \"os\": \"Android\", \"app\": \"MobileIron\", \"jailbroken\": false, \"operator\": null, \"os_version\": \"9\", \"mdm_id\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"imei\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"model\": \"SM-A530F\", \"device_id\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\", \"type\": \"jackpotltexx\", \"zapp_instance_id\": \"xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx\"}, \"threat\": {\"story\": \"Inactive Device\", \"name\": \"Inactive Device\", \"general\": {\"action_triggered\": \"\", \"threat_type\": \"DORMANT\"}}}"
| rex mode=sed "s/.*UTC \S+ //g"
| spath

props.conf

TIME_PREFIX = \<\d+\>\d\s
TIME_FORMAT = %m %d %Y %T %Z
SEDCMD-trim = s/.*UTC \S+ //g
INDEXED_EXTRACTIONS = json
KV_MODE = none

Hi, @gcusello
I don't know if it's a data model, but usually this is fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...