Getting Data In

json split out nested key/values to separate events

zhatsispgx
Path Finder

Hello, I have a giant JSON blob that has some similar key names for nested events w/ different values. I'd like 1 item per row/column but I'm not sure how to achieve this. Can anyone help?

alt text

_raw:

{"startTime": "2019-01-29T08:30:31", "finishTime": "2019-01-29T08:30:31", "elapsedTime": 0.284014, "server": "REDACTED", "worker": "BF4B6-CEA8C", "results": [{"flavors": {"mime": ["application/zip"], "yara": ["zip_file"]}, "entropyMetadata": {"entropy": 7.557669739231512}, "hashMetadata": {"md5": "1c1ce116840df2cb3d3d42a685ecedea", "sha1": "0da6c24a4e1bb556b89d20af6362298c68647bf9", "sha256": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "ssdeep": "96:Hg4NX829EYfFlUfDw1G1WV2w86FnxW204sGCfEHe1X8dI:7sRolULhw8hs7Dir"}, "headerMetadata": {"header": "PK\u0003\u0004\u0014\u0000\b\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0018\u0000\u0000\u0000xl/worksheets/Sheet1"}, "selfMetadata": {"filename": "file.11312", "depth": 0, "uid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "REDACTED", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanYara", "ScanZip"], "size": 5044}, "yaraMetadata": {"matches": ["zip_file"]}, "zipMetadata": {"total": {"files": 9, "extracted": 9}}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 4.6681910854877975}, "hashMetadata": {"md5": "3acc18198f587033e8e86523b4fd6fc2", "sha1": "9d6efa2cbf0e79b76a2cd4d18c27833169218292", "sha256": "8119d45d66c68bf0de35667726235f7703592c5bf7fb45c6a0d7c50de072a5d4", "ssdeep": "96:zXmmy1FUo5YVDGWqxWKieWwvUWx8vWiHaWs1WS+vWdcWofEGWYiWd1W134WgLWFt:zXmmyko5R4Rc"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::xl/worksheets/Sheet1.xml", "depth": 1, "uid": "ca0e91b5-9943-4b12-8423-ea8736b7b439", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "8119d45d66c68bf0de35667726235f7703592c5bf7fb45c6a0d7c50de072a5d4", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 3421}, "xmlMetadata": {"tags": ["worksheet", "dimension", "sheetViews", "sheetView", "selection", "sheetFormatPr", "cols", "col", "sheetData", "row", "c", "v", "mergeCells", "mergeCell"], "namespaces": ["http://schemas.openxmlformats.org/spreadsheetml/2006/main"], "total": {"tags": 148, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 4.9057915330411515}, "hashMetadata": {"md5": "d7f113311bfd8e12a2f0fdc82349dc41", "sha1": "45f556f93f7e3d0662c6d7387e88b4da2467fca5", "sha256": "18b1e60a1469b03740cacb8ee9f76da452729af0181106f46992fe8557939d69", "ssdeep": "12:TMHdtRa6fmEUdzXV6flbEpBy0HjzXa6flbEIWO4zXb6flbE3aWMJ:2dtRa6ffa7V6flYry0Hj7a6flYIC7b6b"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::xl/_rels/workbook.xml.rels", "depth": 1, "uid": "4a869b5a-a237-42b1-a271-c680a70fa66d", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "18b1e60a1469b03740cacb8ee9f76da452729af0181106f46992fe8557939d69", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 567}, "xmlMetadata": {"tags": ["Relationships", "Relationship"], "namespaces": ["http://schemas.openxmlformats.org/package/2006/relationships"], "total": {"tags": 4, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 5.1409873721397465}, "hashMetadata": {"md5": "490780b9993797549261785340952e23", "sha1": "b84cb3dac7a0b7df765d8f5ca05e0ef9c8d04117", "sha256": "f65c54c12d087d7f8f0ef99a3af8fd20a0a801ba2bb03cf3ffa9859726c1af94", "ssdeep": "12:TMHdtd6fxhmflbEi7OkdlIMbkqC2uVed0:2dtd6fxhmflYiK2lp3Huy0"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::xl/workbook.xml", "depth": 1, "uid": "45829d37-8369-459a-aa7a-587ca1023506", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "f65c54c12d087d7f8f0ef99a3af8fd20a0a801ba2bb03cf3ffa9859726c1af94", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 554}, "xmlMetadata": {"tags": ["workbook", "fileVersion", "workbookPr", "bookViews", "workbookView", "sheets", "sheet", "calcPr", "webPublishing"], "namespaces": ["http://schemas.openxmlformats.org/spreadsheetml/2006/main"], "total": {"tags": 9, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 4.856269625900553}, "hashMetadata": {"md5": "d3d84e4f3fd6641527ea08d14fa3cc60", "sha1": "da0a23750ed4d5c1755d1383d455fcb49e29f6fd", "sha256": "1fdd26a05aca78655aa7750a05ec85288a4119ef4fbc884ef1c2ad016b74fc9d", "ssdeep": "24:2dtW6fw2+hQIKD97JQI1yg2+o+QIKD97G2BhQIKD942+8PQIKD97r2BVnQI1s2+O:c3I2++IstmI8g2+cIstG2AIs22+8YIso"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::[Content_Types].xml", "depth": 1, "uid": "641132ad-d10f-4657-813e-65c05fb86b87", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "1fdd26a05aca78655aa7750a05ec85288a4119ef4fbc884ef1c2ad016b74fc9d", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 1062}, "xmlMetadata": {"tags": ["Types", "Override", "Default"], "namespaces": ["http://schemas.openxmlformats.org/package/2006/content-types"], "total": {"tags": 9, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 5.056749057032474}, "hashMetadata": {"md5": "a452ee89ce551c1fda4adceec01c53a5", "sha1": "763df542d5cefc47a832a44ff557ed18c840d47c", "sha256": "7d55ff9a8b3345f0237d00d1fac022f8d8310e23b27ddef77e6694afd6618e14", "ssdeep": "24:2dti6fl4xflKJZ91/6rZIa+a0xctkLSrfIkgHtj4CPy/mb:cLN4xNKJZ9GZz+fOtku0kgHdF"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::docProps/app.xml", "depth": 1, "uid": "020dd5e6-529c-4d75-a755-7aa5c932ada8", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "7d55ff9a8b3345f0237d00d1fac022f8d8310e23b27ddef77e6694afd6618e14", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 799}, "xmlMetadata": {"tags": ["Properties", "Application", "DocSecurity", "ScaleCrop", "HeadingPairs", "vector", "variant", "lpstr", "i4", "TitlesOfParts", "Company", "LinksUpToDate", "SharedDoc", "HyperlinksChanged", "AppVersion"], "namespaces": ["http://schemas.openxmlformats.org/officeDocument/2006/extended-properties", "http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"], "total": {"tags": 18, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 4.891739609989463}, "hashMetadata": {"md5": "35b7ce2cf3ce6ab89d3e1fe869217367", "sha1": "cac633ffab257ded87faa4d6f5fbe674e1644d6f", "sha256": "721f967d63987544ac3d67b0fcfa68f3c2e5fa59bf3eb6e05b909138fc1b81b2", "ssdeep": "6:TMVBd6OjzTriUifZ4QAOKVJnybaOKCBmOKJRkyVic4subi9XFL:TMHdtDrmf1knYgRN8i9Xd"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::docProps/core.xml", "depth": 1, "uid": "aa77049b-6144-472a-a7d1-0f0b410a3565", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "721f967d63987544ac3d67b0fcfa68f3c2e5fa59bf3eb6e05b909138fc1b81b2", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 364}, "xmlMetadata": {"tags": ["coreProperties"], "namespaces": ["http://schemas.openxmlformats.org/package/2006/metadata/core-properties"], "total": {"tags": 1, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 4.898841797221748}, "hashMetadata": {"md5": "6528cca361179301e8141d0d69199809", "sha1": "0c626f3f052667b69647082a04c70caa29d2e0ab", "sha256": "acfa568d36d755b755a62fcde058b93877e4e22065217422c29603c1835ed17e", "ssdeep": "12:TMHdtDa6fmEUdzXb6flbEOBSmzXa6fmEaSVgzXV6flbEjO5J:2dtDa6ffa7b6flYOQm7a6ffZVg7V6flL"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::_rels/.rels", "depth": 1, "uid": "a218d967-0e77-44dd-879d-9a5b824a5051", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "acfa568d36d755b755a62fcde058b93877e4e22065217422c29603c1835ed17e", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 586}, "xmlMetadata": {"tags": ["Relationships", "Relationship"], "namespaces": ["http://schemas.openxmlformats.org/package/2006/relationships"], "total": {"tags": 4, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 4.955445261758916}, "hashMetadata": {"md5": "da0b85e76d76297295728f092769b2dd", "sha1": "761da69b436e9e63c0b41544be6415bed9cad7c0", "sha256": "91a22e047a1fa8937db9bea343945155f8aa7da8a791733103a758bb128550cf", "ssdeep": "48:cT45karwHrjnItJAJVGDsosDMsosDMsMsnIMsMsNVf4qkpvyXGPVqLZ/h:44cjItCDMf4qkpa2PVKh"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::xl/styles.xml", "depth": 1, "uid": "cdbe6179-4320-4258-afec-c18efe8445d2", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "91a22e047a1fa8937db9bea343945155f8aa7da8a791733103a758bb128550cf", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 4550}, "xmlMetadata": {"tags": ["styleSheet", "numFmts", "numFmt", "fonts", "font", "sz", "color", "family", "name", "b", "u", "fills", "fill", "patternFill", "fgColor", "borders", "border", "left", "right", "top", "bottom", "diagonal", "cellStyleXfs", "xf", "cellXfs", "alignment", "cellStyles", "cellStyle", "dxfs", "tableStyles", "colors"], "namespaces": ["http://schemas.openxmlformats.org/spreadsheetml/2006/main"], "total": {"tags": 121, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}, {"flavors": {"mime": ["application/xml"], "yara": ["xml_file"]}, "entropyMetadata": {"entropy": 4.80920041129809}, "hashMetadata": {"md5": "113f9b2924b58a036725d12f77120dfd", "sha1": "4d98f75e1896e3bf505835f25b361ffe07a71296", "sha256": "086ce0a0958080c7abc022f919ca4cc606c9037814eda1ea294f10932f8685cf", "ssdeep": "24:2dtt6fxlXSfmD/zFzOzJUQ8KK0falgPSJPSWLM05fxE0eagKLYz5o1HRXcX/Ylo4:cG50fmD/zczJUQ8KHfaS+R15fxNeJK84"}, "headerMetadata": {"header": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"y"}, "selfMetadata": {"filename": "ScanZip::xl/sharedStrings.xml", "depth": 1, "uid": "824260b1-b68a-4c11-93c7-48ae8544305e", "parentUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "rootUid": "3d2950df-8303-42ba-91f3-8b5e022465c6", "hash": "086ce0a0958080c7abc022f919ca4cc606c9037814eda1ea294f10932f8685cf", "parentHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "rootHash": "06744aa51a21da65ad110297da4e917d0d0fc689aa0d7b4ee090faa6a716da8a", "source": "ScanZip", "scannerList": ["ScanEntropy", "ScanHash", "ScanHeader", "ScanSelf", "ScanXml", "ScanYara"], "size": 1141}, "xmlMetadata": {"tags": ["sst", "si", "t"], "namespaces": ["http://schemas.openxmlformats.org/spreadsheetml/2006/main"], "total": {"tags": 55, "extracted": 0}, "version": "1.0"}, "yaraMetadata": {"matches": ["xml_file"]}}]}
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...