Re: How to extract fields from json ?

jerzy999 · ‎09-04-2019

I do have a single (unfortunately not very repetitive in terms of number of characters and overall form) JSON event with many fields that I would like to extract:

   affectedPackage: [ [+]
     ]
     bulletinFamily: unix
     cvelist: [ [-]
       CVE-2019-9511
       CVE-2019-9513
     ]
     cvss: { [-]
       score: 7.8
       vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
     }
     description: - -------------------------------------------------------------------------
Debian Security Advisory DSA-4511-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 01, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nghttp2
CVE ID         : CVE-2019-9511 CVE-2019-9513

Two vulnerabilities were discovered in the HTTP/2 code of the nghttp2
HTTP server, which could result in denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.18.1-1+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1.36.0-2+deb10u1.

We recommend that you upgrade your nghttp2 packages.

For the detailed security status of nghttp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nghttp2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

     href: https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00159.html
     id: DEBIAN:DSA-4511-1:15C61
     modified: 2019-09-01T21:08:24
     published: 2019-09-01T21:08:24
     title: [SECURITY] [DSA 4511-1] nghttp2 security update
     type: debian
     vhref: https://vulners.com/debian/DEBIAN:DSA-4511-1:15C61

What is the most optimal way to perform field extraction from this type of event. I am interested in dividing following example for fields such as:

affectedPackage
bulletinFamily
cvelist
href 
title 
published

and so on...

I do ingestion for single day in terms of technologies that I am interested in into single event using a python script -> (HEC) Splunk
and want to generate alerts in Splunk based on critical events which I collect

jacobpevans · ‎09-04-2019

Assuming the event is true JSON, set the input sourcetype to either "json_no_timestamp" or "_json". These are built-in Splunk sourcetypes. As @kamlesh_vaghela said, the event you posted is not in true JSON format, but that might just be because you didn't copy the true raw value.

Changing the input will only apply to future events. Once updated, if you go this route, trigger more events or wait, and all of your fields should be automatically extracted similar to the way you described.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

kamlesh_vaghela · ‎09-04-2019

@jerzy999

JSON string in your event is not accurate. Bcoz I can see [+] unexpanded value in your event. So please provide full event with valid JSON string.

affectedPackage: [ [+]
  ]

If you have a mixed-format event then we need to extract JSON from that event then fields from them. 🙂

How to extract fields from json ?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation