Getting Data In

How to extract fields from json ?

jerzy999
New Member

I do have a single (unfortunately not very repetitive in terms of number of characters and overall form) JSON event with many fields that I would like to extract:

   affectedPackage: [ [+]
     ]
     bulletinFamily: unix
     cvelist: [ [-]
       CVE-2019-9511
       CVE-2019-9513
     ]
     cvss: { [-]
       score: 7.8
       vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
     }
     description: - -------------------------------------------------------------------------
Debian Security Advisory DSA-4511-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 01, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nghttp2
CVE ID         : CVE-2019-9511 CVE-2019-9513

Two vulnerabilities were discovered in the HTTP/2 code of the nghttp2
HTTP server, which could result in denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.18.1-1+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1.36.0-2+deb10u1.

We recommend that you upgrade your nghttp2 packages.

For the detailed security status of nghttp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nghttp2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

     href: https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00159.html
     id: DEBIAN:DSA-4511-1:15C61
     modified: 2019-09-01T21:08:24
     published: 2019-09-01T21:08:24
     title: [SECURITY] [DSA 4511-1] nghttp2 security update
     type: debian
     vhref: https://vulners.com/debian/DEBIAN:DSA-4511-1:15C61 

What is the most optimal way to perform field extraction from this type of event. I am interested in dividing following example for fields such as:

affectedPackage
bulletinFamily
cvelist
href 
title 
published

and so on...

I do ingestion for single day in terms of technologies that I am interested in into single event using a python script -> (HEC) Splunk
and want to generate alerts in Splunk based on critical events which I collect

Tags (2)
0 Karma

jacobpevans
Motivator

Assuming the event is true JSON, set the input sourcetype to either "json_no_timestamp" or "_json". These are built-in Splunk sourcetypes. As @kamlesh_vaghela said, the event you posted is not in true JSON format, but that might just be because you didn't copy the true raw value.

Changing the input will only apply to future events. Once updated, if you go this route, trigger more events or wait, and all of your fields should be automatically extracted similar to the way you described.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jerzy999

JSON string in your event is not accurate. Bcoz I can see [+] unexpanded value in your event. So please provide full event with valid JSON string.

affectedPackage: [ [+]
  ]

If you have a mixed-format event then we need to extract JSON from that event then fields from them. 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...