Getting Data In

Nested JSON Parsing and SPATH

praneethnagu143
Explorer

I am trying to add the JSON file onto splunk. The file is not getting added effectively. I am attaching a brief of my JSON document. Help me with this.

This is a part of my JSON response:

"assigned_to": null,
"assigned_to_username": null,
"comments": {
"comments": [
{
"comment": "Closed as helpful",
"time": "2019-02-19T07:48:28.647509+00:00",
"user": ""
},
{
"comment": "Updated by 1 observations",
"time": "2019-02-14T05:06:31.980100+00:00",
"user": null
}
],
"count": 2,
"text": "2 comments"
},
"created": "2019-02-13T07:31:38Z",
"description": "The AWS API has been accessed from a remote host in a country that doesn't normally access the API. For example, creating an IAM role from an unusual foreign IP would trigger this alert.",
"hostname": null,
"id": 133,
"ips_when_created": [],
"last_modified": "2019-02-14T05:06:31.946168Z",
"merit": 8,
"natural_time": "1 month ago",
"new_comment": null,
"obj_created": "2019-02-13T08:06:14.549476Z",
"observations": [
6557,
6559,
6947
],
"priority": 20,
"publish_time": "2019-02-13T08:06:14.486725+00:00",
"resolved": true,
"resolved_time": "2019-02-19T07:48:28.628199Z",
"resolved_user": {
"id": 2,
"is_superuser": false,
"username": ""
},
"rules_matched": null,
"snooze_settings": null,
"source": 20,
"source_info": {
"created": "2019-01-22T00:15:33.086690+00:00",
"name": "(Amazon Web Services) 774913163797\root"
},
"source_name": "(Amazon Web Services) 774913163797\root",
"source_params": {
"authority": "Amazon Web Services",
"domain": "774913163797",
"id": 1,
"meta": "user",
"source": 19,
"user_source_id": 20,
"user_type": 0,
"username": "root"
},
"tags": [],
"text": "Geographically Unusual AWS API Usage on (Amazon Web Services) 774913163797\root\nhttps://cisco-nalfarda.obsrvbl.com/#/alerts/133",
"time": "2019-02-14T04:31:55Z",
"type": "Geographically Unusual AWS API Usage"
},
{
"assigned_to": null,
"assigned_to_username": null,
"comments": {
"comments": [
{
"comment": "Automatically closed. See Alert settings to modify whitelists and priorities.",
"time": "2019-01-25T10:31:00.019918+00:00",
"user": null
}
],
"count": 1,
"text": "1 comment"
},
"created": "2019-01-25T09:00:00Z",
"description": "Source has many failed access attempts from an external device. For example, a remote device trying repeatedly to access an internal server using SSH or Telnet would trigger this alert.",
"hostname": "i-084c971e032f292a1",
"id": 67,
"ips_when_created": [],
"last_modified": "2019-01-25T10:30:59.938043Z",
"merit": 5,
"natural_time": "1 month, 3 weeks ago",
"new_comment": null,
"obj_created": "2019-01-25T10:30:59.967304Z",
"observations": [
1126
],
"priority": 10,
"publish_time": "2019-01-25T10:30:59.934696+00:00",
"resolved": true,
"resolved_time": "2019-01-25T10:30:59.938043Z",
"resolved_user": null,
"rules_matched": null,
"snooze_settings": null,
"source": 15,
"source_info": {
"created": "2019-01-21T23:30:48.363367+00:00",
"hostnames": [],
"ips": [],
"name": "i-084c971e032f292a1",
"namespace": "awsv2:774913163797:us-west-2:vpc-0fe50f76"
},
"source_name": "i-084c971e032f292a1",
"source_params": {
"id": 15,
"meta": "net-link",
"name": "i-084c971e032f292a1"
},
"tags": [],
"text": "Excessive Access Attempts (External) on i-084c971e032f292a1\nhttps://cisco-nalfarda.obsrvbl.com/#/alerts/67",
"time": "2019-01-25T09:00:00Z",
"type": "Excessive Access Attempts (External)"
}

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...