Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do you parse nested Amazon Web Services fields...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MABurberry
Engager
01-14-2019
01:08 AM
Hi All,
I am having some troubles parsing nested AWS fields.
The data that I have looks like this:
rules: [ [-]
{ [-]
from_port: 80
grants: [ [-]
{ [-]
cidr_ip: 10.51.4.20/31
group_id: null
name: null
owner_id: null
}
{ [-]
cidr_ip: 10.51.4.8/31
group_id: null
name: null
owner_id: null
}
{ [-]
cidr_ip: 10.51.4.2/31
group_id: null
name: null
owner_id: null
}
]
groups:
ipRanges:
ip_protocol: tcp
to_port: 80
}
{ [-]
from_port: 0
grants: [ [-]
{ [-]
cidr_ip: 10.0.1.9/21
group_id: null
name: null
owner_id: null
}
]
groups:
ipRanges:
ip_protocol: tcp
to_port: 65535
}
{ [-]
from_port: 7002
grants: [ [-]
{ [-]
cidr_ip: 10.0.1.7/21
group_id: null
name: null
owner_id: null
}
{ [-]
cidr_ip: 10.0.1.5/21
group_id: null
name: null
owner_id: null
}
{ [-]
cidr_ip: 10.0.1.2/21
group_id: null
name: null
owner_id: null
}
]
groups:
ipRanges:
ip_protocol: tcp
to_port: 7002
}
I want to be able to parse these fields so they show up like:
IP Address FROM_PORT TO_PORT
10.51.4.20/31 80 80
10.51.4.8/31 80 80
10.51.4.2/31 80 80
10.0.1.9/21 0 65535
10.0.1.7/21 7002 7002
I've tried MVZip then MVExpand but I cannot seem to get it working correctly. Does anyone have any ways to solve this please?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-14-2019
01:40 AM
Hi @MABurberry,
can you try |spath command like below
index=<YourIndexname>|spath
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkeck
Influencer
01-14-2019
02:17 AM
Hi,
you need a bit more than just spath
in this example you can see how to use spath in the way you wanted your example
| makeresults | eval _raw = "{\"rules\": [{\"from\": 1, \"grant\":[{\"ip\": 12}, {\"ip\": 34}]}, {\"from\": 2, \"grant\":[{\"ip\": 56}, {\"ip\": 78}]}]}" | spath rules{} output=rules | mvexpand rules | spath input=rules
use just the part after |spath and change the names.
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-14-2019
01:40 AM
Hi @MABurberry,
can you try |spath command like below
index=<YourIndexname>|spath
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MABurberry
Engager
01-14-2019
02:12 AM
Thanks @493669
I was able to extract the correct data using spath.
My search was:
index=test
| spath path=rules{} output=rules
| mvexpand rules
| rename rules as _raw
| spath
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
