Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Re-arranging Json fields while indexing the data

Karthikeya
Communicator
‎02-21-2025 04:35 AM

This is how our normal raw event looks --

Feb 7 23:59:32 128.160.82.26 [local0.warning] <132>1 2025-02-07T23:59:32.033309Z AviVantage v-wasphictst-wdc.hc.cloud.uk.sony-443 NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-e52d1117-b508-4a6d-9fb5-f03ca6319af7","report_timestamp":"2025-02-07T23:59:32.033309Z","service_engine":"GB-DRN-AB-Tier2-se-bmqhk","vcpu_id":0,"log_id":89302,"client_ip":"112.12.53.70","client_src_port":37228,"client_dest_port":443,"client_rtt":1,"request_state":"AVI_HTTP_REQUEST_STATE_SSL_HANDSHAKING","significant_log":["ADF_CLIENT_CONNECTION_CLOSED_BEFORE_REQUEST"],"vs_ip":"128.160.71.101","ocsp_status_resp_sent":true,"max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":1,"source_ip":"128.12.53.70","vs_name":"v-wasphictst-wdc.hc.cloud.uk.sony-443","tenant_name":"admin"}

So what we have does is removed the non-json part from this by using sedcmd and extracted the json events by giving kv_mode=json in SH. Till here it is good.

Formatted log sample -

 [-]
   adftrue
   all_request_headers: { [+]
   }
   all_response_headers: { [+]
   }
   avg_ingress_latency_fe0
   cacheabletrue
   client_dest_port443
   client_insights:
   client_ip112.11.227.250
   client_rtt1
   client_src_port34057
   compressionNO_COMPRESSION_CAN_BE_COMPRESSED
   compression_percentage0
   conn_est_time_fe1
   hostwasphictst-wdc.hc.cloud.uk.sony
   http_version1.1
   jwt_log: { [+]
   }
   log_id122364
   max_ingress_latency_fe0
   methodGET
   report_timestamp2025-02-18T16:30:29.084682Z
   request_headers577
   request_id6vT-vgq1-nSjL
   request_length131
   request_stateAVI_HTTP_REQUEST_STATE_READ_CLIENT_REQ_HDR
   response_code403
   response_content_typetext/html
   response_headers12
   response_length4181
   response_time_first_byte1
   response_time_last_byte1
   service_engineGB-DRN-AB-Tier2-se-vxeuz
   significant0
   significant_log: [ [+]
   ]
   sni_hostnamewasphictst-wdc.hc.cloud.uk.sony
   source_ip128.11.227.250
   ssl_cipherTLS_AES_256_GCM_SHA384
   ssl_session_id5032f265bd7d88f768c096bbbf78d4f2
   ssl_versionTLSv1.3
   tenant_nameadmin
   udffalse
   uri_path/cmd
   user_agentinsomnia/2021.5.3
   vcpu_id0
   virtualservicevirtualservice-e52d1117-b508-4a6d-9fb5-f03ca6319af7
   vs_ip123.160.71.101
   vs_namev-wasphictst-wdc.hc.cloud.uk.sony-443
   waf_log: { [+]
   }
}

We want to re-arrange this fields that is we have some less information strings at the top and more info fields like (waf_log) at the bottom. how to do this re-arranging part? Checked from source end and they can't do anything from their side. 

And one more thing, want waf_log to be automatically expanded by default not everytime by clicking + and again + + + in this way. Please help me in these two requirements?

Labels (4)
0 Karma
Reply

Karthikeya
Communicator
‎02-21-2025 06:17 AM

Created 4 panels for waf_logs as below:

Base Search - Index=a sourcetype=xxx:xxxx |fields * |fillnull value = "NULL"

Panel - 1

|search client_ip= "$cli_ip$" uri_query = "$uri_que$" waf_log.rule_logs{}.rule_id="$rule_id$" waf_log.rule_logs{}.rule_name="$rule_name$" waf_log.status="$log_status$" waf_log.rule_logs{}.msg="$log_mess$" |stats count by waf_log.rule_logs{}.rule_group |rename waf_log.rule_logs{}.rule_group as "Rule Group" |sort - count

Panel 2 - 

|search client_ip= "$cli_ip$" uri_query = "$uri_que$" waf_log.rule_logs{}.rule_id="$rule_id$" waf_log.rule_logs{}.rule_name="$rule_name$" waf_log.status="$log_status$" waf_log.rule_logs{}.msg="$log_mess$" |stats count by waf_log.rule_logs{}.rule_id
|rename waf_log.rule_logs{}.rule_id as "Rule ID" |sort - count

Panel 3 - 

|search client_ip= "$cli_ip$" uri_query = "$uri_que$" waf_log.rule_logs{}.rule_id="$rule_id$" waf_log.rule_logs{}.rule_name="$rule_name$" waf_log.status="$log_status$" waf_log.rule_logs{}.msg="$log_mess$" |stats count by waf_log.status
|rename waf_log.status as "Log Status" |sort - count

Panel 4 - 

|search client_ip= "$cli_ip$" uri_query = "$uri_que$" waf_log.rule_logs{}.rule_id="$rule_id$" waf_log.rule_logs{}.rule_name="$rule_name$" waf_log.status="$log_status$" waf_log.rule_logs{}.msg="$log_mess$" |stats count by waf_log.rule_logs{}.msg
|rename waf_log.rule_logs{}.msg as "Log Message" |sort - count

Any suggestions on these dashboard to make it more readable when they click on any of the value?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2025 09:03 AM

Create another dashboard or panel which displays the event as you would like it and modify the drilldown on the original panel(s) to link to the new dashboard or make the new panel visible in the current dashboard.

0 Karma
Reply

Karthikeya
Communicator
‎02-21-2025 06:09 AM

Hi @ITWhisperer ,

We want the log events to be in such a manner which is useful for our app owners. 

For suppose in my sample log... avg_ingress_latency_fe: 0
   cacheable: true
   client_dest_port: 443
   client_insights:

These strings which are beginning are not at all useful (but can't be removed) but waf_log which is at the bottom is more important and want this in the beginning. 

@livehybrid  @ITWhisperer Yes I achieved it by creating dashboard, but even after they click on any dashboard panel, they will be seeing the same less imp strings (the same event format) which is not supposed to be.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-21-2025 06:16 AM

I see, sorry - I dont think it is possible to achieve what you are looking for without removing the fields you dont want to see from the source data.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-21-2025 06:09 AM

Hi @Karthikeya 

The reason waf_logs is at the bottom is because JSON events are output in alphabetical order when viewed as a JSON formatted event, and it isnt expanded because it is a child to the main event.

These are things which cannot be changed when viewing it in this way, however you could create dashboards perhaps to display the data in a table or something like that if this is preferred?

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2025 05:44 AM

What do you hope to achieve which can't be done in SPL and your dashboard searches?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...