Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to Traverse Nested JSON Structures in Splunk f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snowywar
Engager
03-11-2024
01:22 AM
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain?
Like This
| time | username | processInfo | processInfo.pid | processChain |
| 2024-03-07T07:46:27Z | randomuser:staff | bash | 51097 | /bin/bash -c pmset -g batt ← %APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1 /Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched ← %APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2 /Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched ← /sbin/launchd ← /sbin/launchd ← kernel_task ← kernel_task |
I dont know how to search.....please help me ,Thank you!!,
This is my json data
{
"timestamp": "2024-03-07T07:46:27Z",
"eventName": "ProcessEvent",
"computer": {
"name": "randomMacBook-Pro.local",
"uuid": "9b85f341-3a24-4f70-a371-8863f8a72f1c"
},
"processInfo": {
"imageName": "bash",
"pid": 51097,
"systemProcess": false,
"imagePath": "/bin/bash",
"commandLine": "-c pmset -g batt",
"exeHash": {
"sha1": "87FD78930606102F09D607FC7305996CEFA6E028",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess1",
"pid": 51097,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1",
"commandLine": "/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess2",
"pid": 603,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2",
"commandLine": "/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 603,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 1,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T07:57:30Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 1,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 0,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": ""
}
}
}
}
}
}
},
"eventType": "Process/PosixExec"
}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-11-2024
03:30 AM
Try something like this:
| makeresults
| fields - _time
| eval _raw="{
\"timestamp\": \"2024-03-07T07:46:27Z\",
\"eventName\": \"ProcessEvent\",
\"computer\": {
\"name\": \"randomMacBook-Pro.local\",
\"uuid\": \"9b85f341-3a24-4f70-a371-8863f8a72f1c\"
},
\"processInfo\": {
\"imageName\": \"bash\",
\"pid\": 51097,
\"systemProcess\": false,
\"imagePath\": \"/bin/bash\",
\"commandLine\": \"-c pmset -g batt\",
\"exeHash\": {
\"sha1\": \"87FD78930606102F09D607FC7305996CEFA6E028\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"randomuser:staff\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-07T07:46:27Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"randomprocess1\",
\"pid\": 51097,
\"systemProcess\": false,
\"imagePath\": \"%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1\",
\"commandLine\": \"/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched\",
\"exeHash\": {
\"sha1\": \"E31C5F2840F47A094D58A181586B802FA8531C7E\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"randomuser:staff\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-07T07:46:27Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"randomprocess2\",
\"pid\": 603,
\"systemProcess\": false,
\"imagePath\": \"%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2\",
\"commandLine\": \"/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched\",
\"exeHash\": {
\"sha1\": \"E31C5F2840F47A094D58A181586B802FA8531C7E\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"randomuser:staff\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-01T08:02:32Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"launchd\",
\"pid\": 603,
\"systemProcess\": false,
\"imagePath\": \"/sbin/launchd\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-01T08:02:32Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"launchd\",
\"pid\": 1,
\"systemProcess\": false,
\"imagePath\": \"/sbin/launchd\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-01T07:57:30Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"kernel_task\",
\"pid\": 1,
\"systemProcess\": true,
\"imagePath\": \"kernel_task\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"24BF148FA83C8A5D908C33954B5CA91A5E4E3659\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-02-27T10:17:35Z\",
\"currentDirPath\": \"\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"kernel_task\",
\"pid\": 0,
\"systemProcess\": true,
\"imagePath\": \"kernel_task\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"24BF148FA83C8A5D908C33954B5CA91A5E4E3659\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-02-27T10:17:35Z\",
\"currentDirPath\": \"\",
\"isCompromised\": false,
\"lnkPath\": \"\"
}
}
}
}
}
}
},
\"eventType\": \"Process/PosixExec\"
}"
| spath
| eval processChain='processInfo.imagePath'." ".'processInfo.commandLine'
| foreach processInfo*.parentProcess.imagePath
[| eval processChain=mvappend(processChain,'<<FIELD>>'." ".'processInfo<<MATCHSEG1>>.parentProcess.commandLine')]You end up with a multi-value field which you can use mvjoin to format as you wish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-11-2024
03:30 AM
Try something like this:
| makeresults
| fields - _time
| eval _raw="{
\"timestamp\": \"2024-03-07T07:46:27Z\",
\"eventName\": \"ProcessEvent\",
\"computer\": {
\"name\": \"randomMacBook-Pro.local\",
\"uuid\": \"9b85f341-3a24-4f70-a371-8863f8a72f1c\"
},
\"processInfo\": {
\"imageName\": \"bash\",
\"pid\": 51097,
\"systemProcess\": false,
\"imagePath\": \"/bin/bash\",
\"commandLine\": \"-c pmset -g batt\",
\"exeHash\": {
\"sha1\": \"87FD78930606102F09D607FC7305996CEFA6E028\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"randomuser:staff\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-07T07:46:27Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"randomprocess1\",
\"pid\": 51097,
\"systemProcess\": false,
\"imagePath\": \"%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1\",
\"commandLine\": \"/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched\",
\"exeHash\": {
\"sha1\": \"E31C5F2840F47A094D58A181586B802FA8531C7E\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"randomuser:staff\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-07T07:46:27Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"randomprocess2\",
\"pid\": 603,
\"systemProcess\": false,
\"imagePath\": \"%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2\",
\"commandLine\": \"/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched\",
\"exeHash\": {
\"sha1\": \"E31C5F2840F47A094D58A181586B802FA8531C7E\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"randomuser:staff\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-01T08:02:32Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"launchd\",
\"pid\": 603,
\"systemProcess\": false,
\"imagePath\": \"/sbin/launchd\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-01T08:02:32Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"launchd\",
\"pid\": 1,
\"systemProcess\": false,
\"imagePath\": \"/sbin/launchd\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-03-01T07:57:30Z\",
\"currentDirPath\": \"/\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"kernel_task\",
\"pid\": 1,
\"systemProcess\": true,
\"imagePath\": \"kernel_task\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"24BF148FA83C8A5D908C33954B5CA91A5E4E3659\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-02-27T10:17:35Z\",
\"currentDirPath\": \"\",
\"isCompromised\": false,
\"lnkPath\": \"\",
\"parentProcess\": {
\"imageName\": \"kernel_task\",
\"pid\": 0,
\"systemProcess\": true,
\"imagePath\": \"kernel_task\",
\"commandLine\": \"\",
\"exeHash\": {
\"sha1\": \"24BF148FA83C8A5D908C33954B5CA91A5E4E3659\",
\"sha256\": null
},
\"sid\": \"\",
\"username\": \"root:wheel\",
\"sidNameUse\": 0,
\"startTime\": \"2024-02-27T10:17:35Z\",
\"currentDirPath\": \"\",
\"isCompromised\": false,
\"lnkPath\": \"\"
}
}
}
}
}
}
},
\"eventType\": \"Process/PosixExec\"
}"
| spath
| eval processChain='processInfo.imagePath'." ".'processInfo.commandLine'
| foreach processInfo*.parentProcess.imagePath
[| eval processChain=mvappend(processChain,'<<FIELD>>'." ".'processInfo<<MATCHSEG1>>.parentProcess.commandLine')]You end up with a multi-value field which you can use mvjoin to format as you wish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snowywar
Engager
03-11-2024
04:02 AM
You are genius!,thank you!!!
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
