REST API - Search targetResources from Azure Audit...

swaprks · ‎04-19-2024

I am trying to query audit logs from Splunk. The logs are for azure but when I hit the below query, it only returns the text fields and not the object or array fields like initiatedBy and targetResources. Do I need to query this data in a different manner?

index="directoryaudit" | fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime

tscroggins · ‎04-21-2024

Hi @swaprks,

If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.:

initiatedBy.user.id
targetResources{}.id

Arrays are extracted as multi-valued fields, e.g.:

targetResources{}.modifiedProperties{}.displayName
:=
AccountEnabled
StsRefreshTokensValidFrom
UserPrincipalName
UserType
Included Updated Properties

Automatic extraction of arrays of objects with array fields can also be confusing.

To return the native JSON directly, extract the fields as part of your search:

index=directoryaudit
| eval json=json(_raw), initiatedBy=json_extract(json, "initiatedBy"), targetResources=json_extract(json, "targetResources")
| fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime

REST API - Search targetResources from Azure Audit via Java SDK

data

HTTP Event Collector

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation