Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to draw a table that digests a field which varies differently

Saer000
Engager
‎06-27-2022 07:26 AM

Hi, I wanna plot a table to indicate the scanner status of Gitlab repos in the dashboard, like below: (1 means enabled, 0 means no used).

fullPathSASTSAST_IACDASTDEPENDENCY_SCANNINGCONTAINER_SCANNINGSECRET_DETECTIONCOVERAGE_FUZZING
API_FUZZING
CLUSTER_IMAGE_SCANNING
repos1100101000
repos2111111000
repos3100111110

 

And my raw data stream look like below:

 

{"fullPath": "repos1", "securityScanners": {"available": ["SAST", "SAST_IAC", "DAST", "DEPENDENCY_SCANNING", "CONTAINER_SCANNING", "SECRET_DETECTION", "COVERAGE_FUZZING", "API_FUZZING", "CLUSTER_IMAGE_SCANNING"], "enabled": ["SAST", "DEPENDENCY_SCANNING", "SECRET_DETECTION"], "pipelineRun": ["SAST", "DEPENDENCY_SCANNING", "SECRET_DETECTION"]}}

{"fullPath": "repos2", "securityScanners": {"available": ["SAST", "SAST_IAC", "DAST", "DEPENDENCY_SCANNING", "CONTAINER_SCANNING", "SECRET_DETECTION", "COVERAGE_FUZZING", "API_FUZZING", "CLUSTER_IMAGE_SCANNING"], "enabled": ["SAST", "DEPENDENCY_SCANNING", "SECRET_DETECTION"], "pipelineRun": ["SAST", "DEPENDENCY_SCANNING", "SECRET_DETECTION", "DAST"]}}

 


Could anyone help me build a search language to achieve the above?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-27-2022 06:34 PM

Here is an example using your example data 

| makeresults
| eval x=split("{\"fullPath\": \"repos1\", \"securityScanners\": {\"available\": [\"SAST\", \"SAST_IAC\", \"DAST\", \"DEPENDENCY_SCANNING\", \"CONTAINER_SCANNING\", \"SECRET_DETECTION\", \"COVERAGE_FUZZING\", \"API_FUZZING\", \"CLUSTER_IMAGE_SCANNING\"], \"enabled\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\"], \"pipelineRun\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\"]}}X{\"fullPath\": \"repos2\", \"securityScanners\": {\"available\": [\"SAST\", \"SAST_IAC\", \"DAST\", \"DEPENDENCY_SCANNING\", \"CONTAINER_SCANNING\", \"SECRET_DETECTION\", \"COVERAGE_FUZZING\", \"API_FUZZING\", \"CLUSTER_IMAGE_SCANNING\"], \"enabled\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\"], \"pipelineRun\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\", \"DAST\"]}}","X")
| mvexpand x
| rename x as _raw
| spath
| fields - _raw
| rename securityScanners.* as *
| chart values(enabled{}) by fullPath available{}
| foreach * [ eval <<FIELD>>=if("<<MATCHSTR>>"="fullPath", <<FIELD>>, if(isnull(mvfind(<<FIELD>>, "<<MATCHSTR>>")), 0, 1)) ]

The search fragment you need will be the last 3 lines and it assumes that your JSON fields have been extracted based on their JSON names.

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-27-2022 06:34 PM

Here is an example using your example data 

| makeresults
| eval x=split("{\"fullPath\": \"repos1\", \"securityScanners\": {\"available\": [\"SAST\", \"SAST_IAC\", \"DAST\", \"DEPENDENCY_SCANNING\", \"CONTAINER_SCANNING\", \"SECRET_DETECTION\", \"COVERAGE_FUZZING\", \"API_FUZZING\", \"CLUSTER_IMAGE_SCANNING\"], \"enabled\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\"], \"pipelineRun\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\"]}}X{\"fullPath\": \"repos2\", \"securityScanners\": {\"available\": [\"SAST\", \"SAST_IAC\", \"DAST\", \"DEPENDENCY_SCANNING\", \"CONTAINER_SCANNING\", \"SECRET_DETECTION\", \"COVERAGE_FUZZING\", \"API_FUZZING\", \"CLUSTER_IMAGE_SCANNING\"], \"enabled\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\"], \"pipelineRun\": [\"SAST\", \"DEPENDENCY_SCANNING\", \"SECRET_DETECTION\", \"DAST\"]}}","X")
| mvexpand x
| rename x as _raw
| spath
| fields - _raw
| rename securityScanners.* as *
| chart values(enabled{}) by fullPath available{}
| foreach * [ eval <<FIELD>>=if("<<MATCHSTR>>"="fullPath", <<FIELD>>, if(isnull(mvfind(<<FIELD>>, "<<MATCHSTR>>")), 0, 1)) ]

The search fragment you need will be the last 3 lines and it assumes that your JSON fields have been extracted based on their JSON names.

 

 

Reply
Solved! Jump to solution

Saer000
Engager
‎06-28-2022 03:39 AM

Thanks a lot, it really works on my side.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 08:23 AM

What have you tried so far?  How have those efforts not met expectations?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...