Getting Data In

Nested JSON Parsing and SPATH

praneethnagu143
Explorer

I am trying to add the JSON file onto splunk. The file is not getting added effectively. I am attaching a brief of my JSON document. Help me with this.

This is a part of my JSON response:

"assigned_to": null,
"assigned_to_username": null,
"comments": {
"comments": [
{
"comment": "Closed as helpful",
"time": "2019-02-19T07:48:28.647509+00:00",
"user": ""
},
{
"comment": "Updated by 1 observations",
"time": "2019-02-14T05:06:31.980100+00:00",
"user": null
}
],
"count": 2,
"text": "2 comments"
},
"created": "2019-02-13T07:31:38Z",
"description": "The AWS API has been accessed from a remote host in a country that doesn't normally access the API. For example, creating an IAM role from an unusual foreign IP would trigger this alert.",
"hostname": null,
"id": 133,
"ips_when_created": [],
"last_modified": "2019-02-14T05:06:31.946168Z",
"merit": 8,
"natural_time": "1 month ago",
"new_comment": null,
"obj_created": "2019-02-13T08:06:14.549476Z",
"observations": [
6557,
6559,
6947
],
"priority": 20,
"publish_time": "2019-02-13T08:06:14.486725+00:00",
"resolved": true,
"resolved_time": "2019-02-19T07:48:28.628199Z",
"resolved_user": {
"id": 2,
"is_superuser": false,
"username": ""
},
"rules_matched": null,
"snooze_settings": null,
"source": 20,
"source_info": {
"created": "2019-01-22T00:15:33.086690+00:00",
"name": "(Amazon Web Services) 774913163797\root"
},
"source_name": "(Amazon Web Services) 774913163797\root",
"source_params": {
"authority": "Amazon Web Services",
"domain": "774913163797",
"id": 1,
"meta": "user",
"source": 19,
"user_source_id": 20,
"user_type": 0,
"username": "root"
},
"tags": [],
"text": "Geographically Unusual AWS API Usage on (Amazon Web Services) 774913163797\root\nhttps://cisco-nalfarda.obsrvbl.com/#/alerts/133",
"time": "2019-02-14T04:31:55Z",
"type": "Geographically Unusual AWS API Usage"
},
{
"assigned_to": null,
"assigned_to_username": null,
"comments": {
"comments": [
{
"comment": "Automatically closed. See Alert settings to modify whitelists and priorities.",
"time": "2019-01-25T10:31:00.019918+00:00",
"user": null
}
],
"count": 1,
"text": "1 comment"
},
"created": "2019-01-25T09:00:00Z",
"description": "Source has many failed access attempts from an external device. For example, a remote device trying repeatedly to access an internal server using SSH or Telnet would trigger this alert.",
"hostname": "i-084c971e032f292a1",
"id": 67,
"ips_when_created": [],
"last_modified": "2019-01-25T10:30:59.938043Z",
"merit": 5,
"natural_time": "1 month, 3 weeks ago",
"new_comment": null,
"obj_created": "2019-01-25T10:30:59.967304Z",
"observations": [
1126
],
"priority": 10,
"publish_time": "2019-01-25T10:30:59.934696+00:00",
"resolved": true,
"resolved_time": "2019-01-25T10:30:59.938043Z",
"resolved_user": null,
"rules_matched": null,
"snooze_settings": null,
"source": 15,
"source_info": {
"created": "2019-01-21T23:30:48.363367+00:00",
"hostnames": [],
"ips": [],
"name": "i-084c971e032f292a1",
"namespace": "awsv2:774913163797:us-west-2:vpc-0fe50f76"
},
"source_name": "i-084c971e032f292a1",
"source_params": {
"id": 15,
"meta": "net-link",
"name": "i-084c971e032f292a1"
},
"tags": [],
"text": "Excessive Access Attempts (External) on i-084c971e032f292a1\nhttps://cisco-nalfarda.obsrvbl.com/#/alerts/67",
"time": "2019-01-25T09:00:00Z",
"type": "Excessive Access Attempts (External)"
}

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...