Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

json output read single value when there are multiple for a segment

surekhasplunk
Communicator
‎10-28-2019 03:25 AM

Hi,
I have a json output which is getting indexed correctly.
And i am collectng ip from remotemanagement{}.ip . But for some cases i have multiple ips under remotemanagement. In those cases i need to select only that one ip where protocol.name is NOT console. If there are 3 ips and for one the protocol.name is console then leave it and out of the rest 2 take any one ip.
As you can see from the screen shot one has protocol.name = console and for the third one protocol.name = ssh
So here will need to eval ssh_ip=192.0.32.38

And then use it in my below query to filter only those records.

index="unicorn" ( "infrastructure{}.type"=critical OR "infrastructure{}.type"=vital ) |mvexpand infrastructure{}.name |rename assetId as "AssetID" infrastructure{}.name as "Infrastrucure Name" name as Nom remoteManagement{}.ip as Ip realm{}.name as Type | table "Infrastrucure Name" "AssetID" Nom Ip Type |mvexpand Ip | where Ip=ssh_ip

how to calculate ssh_ip here ? as i tried to use
| spath "remoteManagement{}.protocol.name" | search "remoteManagement{}.protocol.name"!=console
OR
| spath "remoteManagement{}.protocol.name" | search "remoteManagement{}.protocol.name"=ssh

But its giving all the 3 ips.

Please help.

Thanks

Tags (2)
remote.png
Preview file
19 KB
1stremote.png
Preview file
24 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎01-10-2020 04:48 PM 
index="unicorn"
| spath assetId 
| search assetId=MA9624121 
| lookup Input_splunk_all.csv RTR as name 
| spath output=manage remoteManagement{} 
| table name manage
| stats values(name) as name by manage
| spath input=manage

Hi, @surekhasplunk
How about this?

0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2019 01:41 PM

I think that I finally get it. Try adding this to drop the console values from the multivalued manage field:

... | eval manage = mvfilter(NOT match(manage, "\"name\":\"console\""))
0 Karma
Reply

surekhasplunk
Communicator
‎10-30-2019 04:43 AM

Hi @woodcock and @aberkow,

Could you please help me here. As i have uploaded the images now.

Thanks in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-30-2019 06:30 AM

Did you notice where I said NOT to use images? Post TEXT.

0 Karma
Reply

surekhasplunk
Communicator
‎10-31-2019 01:47 AM

Hi @woodcock,

Below is what i am receiving under remoteManagement which i am evaluating for Ip.
Now my requirement is i need to get only the ip where protocol.name=ssh

 remoteManagement:  [   [-] 
    {   [-] 
     additionalInformation:  null   
     device:     7490   
     id:     18450  
     ip:     184.7.138.72   
     login:  HASDf  
     password:   null   
     plainTextURL:   null   
     port:   7013   
     protocol:  {   [-] 
         name:   console    
    }   
    }   
    {   [-] 
     additionalInformation:  null   
     device:     7490   
     id:     18451  
     ip:     192.0.32.38    
     login:  matricule SG   
     password:   null   
     plainTextURL:   null   
     port:   443    
     protocol:  {   [-] 
         name:   https  
    }   
    }   
    {   [-] 
     additionalInformation:  null   
     device:     7490   
     id:     18449  
     ip:     192.0.32.38    
     login:  matricule SG   
     password:   null   
     plainTextURL:   null   
     port:   22 
     protocol:  {   [-] 
         name:   ssh    
    }   
    }   
]
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-31-2019 01:50 AM

Hello @surekhasplunk

Kindly post _raw event.

0 Karma
Reply

surekhasplunk
Communicator
‎10-31-2019 09:14 AM

For example:
Below is my query and i know for this asset id i have 3 values under remoteManagement{}.ip

index="unicorn"| spath assetId | search assetId=MA9624121 |lookup Input_splunk_all.csv RTR as name |spath output=manage remoteManagement{} | table name manage

Below is the output. 

name    manage
HFSOFW401   
{"id":18450,"protocol":{"name":"console"},"ip":"184.7.138.72","port":"7013","additionalInformation":null,"plainTextURL":null,"login":"HFSOFW401","password":null,"device":7490}
{"id":18451,"protocol":{"name":"https"},"ip":"192.0.32.38","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7490}
{"id":18449,"protocol":{"name":"ssh"},"ip":"192.0.32.38","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7490}
0 Karma
Reply

woodcock
Esteemed Legend
‎10-28-2019 04:30 PM

Show us entire sample events and a mockup of the desired output.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-28-2019 06:09 PM

And by show I DO NOT mean a picture; send us plain text.

0 Karma
Reply

surekhasplunk
Communicator
‎10-28-2019 10:31 PM

hi @aberkow and @woodcock ,

I am so sorry for the inconvenience, hope you can see the images now.

0 Karma
Reply

aberkow
Builder
‎10-28-2019 11:06 AM

I don't see a screenshot - can you give a sanitized version of the result up to where you're happy with the output to that point? (i.e. what is the result before you're trying your spath command)

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top