Getting Data In

How to achieve json event key=value to table as event not column name?

jbanAtSplunk
Communicator

Hi,

i have event like
vuln {

    host: some_host
    cve: {

        base_score: 10
        description: "Really nasty"
        references: [link_1

                                link_2]

    }
   remediation: {

     something: "something"

   }
}


Now I don't want table where json key is Column name but as Event raw in Table .

I would like to have dynamic Table something like

Name               | Value
base_score   | 10
description   |  Really nasty
references    | link_1, link_2

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

You mean like this

| makeresults
| eval _raw="{ \"vuln\" : {
    \"host\": \"some_host\",
    \"cve\": {
        \"base_score\": 10,
        \"description\": \"Really nasty\",
        \"references\": [\"link_1\",
        \"link_2\"]
    },
   \"remediation\": {
     \"something\": \"something\"
   }
}
}"
| spath 
| fields - _raw _time
| fields vuln.cve.*
| rename vuln.cve.* as *
| transpose 0 column_name="Key"
| rename "row 1" as Value

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Take a look at Brett Adams' app on Splunkbase

https://splunkbase.splunk.com/app/6161/

that is designed to extract key/value pairs as fields.

 

0 Karma

jbanAtSplunk
Communicator

It didn't solve my challenge.

Basically what I am doing is a Visualization, when you click on CVE then I am population token and I want to create Table with CVE information but not as:

Column_1_name, Column_2_name,Column_3_name, .... as it's really not readable.

But I wanna have Table
Column_1_key, Column_2_value
key_name_1, key_value_1
key_name_2, key_value_2

I am really confused that Splunk does not have something like that out-of-the-box.

Or at least, can I somehow create a search, retrieve event and than manually fix column names and "event row's"

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You mean like this

| makeresults
| eval _raw="{ \"vuln\" : {
    \"host\": \"some_host\",
    \"cve\": {
        \"base_score\": 10,
        \"description\": \"Really nasty\",
        \"references\": [\"link_1\",
        \"link_2\"]
    },
   \"remediation\": {
     \"something\": \"something\"
   }
}
}"
| spath 
| fields - _raw _time
| fields vuln.cve.*
| rename vuln.cve.* as *
| transpose 0 column_name="Key"
| rename "row 1" as Value
0 Karma

jbanAtSplunk
Communicator

Yes, Thank you 🙂
I modified it a bit to map original json event and it's working as charm 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...