Hi,
i have event like
vuln {
host: some_host
cve: {
base_score: 10
description: "Really nasty"
references: [link_1
link_2]
}
remediation: {
something: "something"
}
}
Now I don't want table where json key is Column name but as Event raw in Table .
I would like to have dynamic Table something like
Name | Value
base_score | 10
description | Really nasty
references | link_1, link_2
You mean like this
| makeresults
| eval _raw="{ \"vuln\" : {
\"host\": \"some_host\",
\"cve\": {
\"base_score\": 10,
\"description\": \"Really nasty\",
\"references\": [\"link_1\",
\"link_2\"]
},
\"remediation\": {
\"something\": \"something\"
}
}
}"
| spath
| fields - _raw _time
| fields vuln.cve.*
| rename vuln.cve.* as *
| transpose 0 column_name="Key"
| rename "row 1" as Value
Take a look at Brett Adams' app on Splunkbase
https://splunkbase.splunk.com/app/6161/
that is designed to extract key/value pairs as fields.
It didn't solve my challenge.
Basically what I am doing is a Visualization, when you click on CVE then I am population token and I want to create Table with CVE information but not as:
Column_1_name, Column_2_name,Column_3_name, .... as it's really not readable.
But I wanna have Table
Column_1_key, Column_2_value
key_name_1, key_value_1
key_name_2, key_value_2
I am really confused that Splunk does not have something like that out-of-the-box.
Or at least, can I somehow create a search, retrieve event and than manually fix column names and "event row's"
You mean like this
| makeresults
| eval _raw="{ \"vuln\" : {
\"host\": \"some_host\",
\"cve\": {
\"base_score\": 10,
\"description\": \"Really nasty\",
\"references\": [\"link_1\",
\"link_2\"]
},
\"remediation\": {
\"something\": \"something\"
}
}
}"
| spath
| fields - _raw _time
| fields vuln.cve.*
| rename vuln.cve.* as *
| transpose 0 column_name="Key"
| rename "row 1" as Value
Yes, Thank you 🙂
I modified it a bit to map original json event and it's working as charm 🙂