Getting Data In

Help with Table Format - JSON

JCANDIAT
Explorer

performing the following search:

JCANDIAT_0-1674510125746.png

I get this result. I need to parser this information, building a table excel type. The information is in JSON format, so a UPLOAD in SPLUNK.

JCANDIAT_2-1674510242190.png

Like this:

JCANDIAT_3-1674510280139.png

 

 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.credenciales\.(?<credencial>\d+)\.(?<key>\w+)"
| eval {key}=value
| fields data credencial Application Password URL Username
| stats values(*) as * by data credencial

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

This might be easier from the _raw JSON events. Please can you share anonymised events in a code block </>

0 Karma

JCANDIAT
Explorer

{"Threat_hunting": {
"cliente": "paginaejemplo.com.ar",
"data": {
"1": {
"identificador": "551e5ae3-133a-463e-b3db-404f9e33ce1c",
"name": "ES_139.47.115.rar/passwords.txt",
"date": "2023-01-11T06:12:26.576428Z",
"credenciales": {
"1": {
"Application": "Chrome (v106.0.5249.91-64, Profile",
"URL": "https://www.paginaejemplo.com.ar",
"Username": "",
"Password": "dddddddd"
},
"2": {
"Application": "Chrome (v106.0.5249.91-64, Profile",
"URL": "https://www.paginaejemplo.com.ar",
"Username": "",
"Password": "bbbbbb"
},
"3": {
"Application": "Chrome (v106.0.5249.91-64, Profile",
"URL": "https://www.paginaejemplo.com.ar",
"Username": "",
"Password": "aaaaaa"
}
}
},
"2": {
"identificador": "b540adda-6f78-40d7-bef4-f3413024fc71",
"name": "AR[8BB40128FD52DCE2DD16C34FE4DA496E] [2022-11-05T18_37_34.rar/ AR[8BB40128FD52DCE2DD16C34FE4DA496E] [2022-11-05T18_37_34/Passwords.txt",
"date": "2023-01-14T05:11:44.593095Z",
"credenciales": {
"1": {
"URL": "https://www.paginaejemplo.com.ar",
"Username": "UNKNOWN",
"Password": "fffffff",
"Application": "Google_[Chrome]_Profile 1"
}
}
}
}
}
}

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.credenciales\.(?<credencial>\d+)\.(?<key>\w+)"
| eval {key}=value
| fields data credencial Application Password URL Username
| stats values(*) as * by data credencial

JCANDIAT
Explorer

Dear, 

How can i build this structure, have in mind the identification label?

JCANDIAT_1-1674594086796.png

grateful for your help

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.credenciales\.(?<credencial>\d+)\.(?<key>\w+)"
| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.(?<key>identificador|date)"
| eval {key}=value
| fillnull value=0 credencial
| fields data credencial identificador date Password URL Username
| stats values(*) as * by data credencial
| eventstats values(date) as date values(identificador) as identificador by data
| where credencial != 0

JCANDIAT
Explorer

thank you very much for your knowledge!

0 Karma

JCANDIAT
Explorer

Thank you very much!!!

It works!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...