Getting Data In

Help with Table Format - JSON

JCANDIAT
Explorer

performing the following search:

JCANDIAT_0-1674510125746.png

I get this result. I need to parser this information, building a table excel type. The information is in JSON format, so a UPLOAD in SPLUNK.

JCANDIAT_2-1674510242190.png

Like this:

JCANDIAT_3-1674510280139.png

 

 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.credenciales\.(?<credencial>\d+)\.(?<key>\w+)"
| eval {key}=value
| fields data credencial Application Password URL Username
| stats values(*) as * by data credencial

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

This might be easier from the _raw JSON events. Please can you share anonymised events in a code block </>

0 Karma

JCANDIAT
Explorer

{"Threat_hunting": {
"cliente": "paginaejemplo.com.ar",
"data": {
"1": {
"identificador": "551e5ae3-133a-463e-b3db-404f9e33ce1c",
"name": "ES_139.47.115.rar/passwords.txt",
"date": "2023-01-11T06:12:26.576428Z",
"credenciales": {
"1": {
"Application": "Chrome (v106.0.5249.91-64, Profile",
"URL": "https://www.paginaejemplo.com.ar",
"Username": "",
"Password": "dddddddd"
},
"2": {
"Application": "Chrome (v106.0.5249.91-64, Profile",
"URL": "https://www.paginaejemplo.com.ar",
"Username": "",
"Password": "bbbbbb"
},
"3": {
"Application": "Chrome (v106.0.5249.91-64, Profile",
"URL": "https://www.paginaejemplo.com.ar",
"Username": "",
"Password": "aaaaaa"
}
}
},
"2": {
"identificador": "b540adda-6f78-40d7-bef4-f3413024fc71",
"name": "AR[8BB40128FD52DCE2DD16C34FE4DA496E] [2022-11-05T18_37_34.rar/ AR[8BB40128FD52DCE2DD16C34FE4DA496E] [2022-11-05T18_37_34/Passwords.txt",
"date": "2023-01-14T05:11:44.593095Z",
"credenciales": {
"1": {
"URL": "https://www.paginaejemplo.com.ar",
"Username": "UNKNOWN",
"Password": "fffffff",
"Application": "Google_[Chrome]_Profile 1"
}
}
}
}
}
}

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.credenciales\.(?<credencial>\d+)\.(?<key>\w+)"
| eval {key}=value
| fields data credencial Application Password URL Username
| stats values(*) as * by data credencial

JCANDIAT
Explorer

Dear, 

How can i build this structure, have in mind the identification label?

JCANDIAT_1-1674594086796.png

grateful for your help

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.credenciales\.(?<credencial>\d+)\.(?<key>\w+)"
| rex field=key "Threat_hunting\.data\.(?<data>\d+)\.(?<key>identificador|date)"
| eval {key}=value
| fillnull value=0 credencial
| fields data credencial identificador date Password URL Username
| stats values(*) as * by data credencial
| eventstats values(date) as date values(identificador) as identificador by data
| where credencial != 0

JCANDIAT
Explorer

thank you very much for your knowledge!

0 Karma

JCANDIAT
Explorer

Thank you very much!!!

It works!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...