- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how do coul I read / tranform string in json data?
Hello,
I index some logs in JSON format.
I manage to access JSON field with:
search| spath "jsonfield" | search "jsondield"= "value"
My problem is on a specific field in my json:
Json exemple:
[{"source":"mySource","id":"2dc3cdf1-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:28:57.970Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"POLICY","message":"Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"}},{"source":"mySource","id":"33db40d4-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:29:08.190Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"SUCCESS","message":"SSO myKey \"myKey 1\""}}]
In result.message field, Splunk read string but i would like to exctract fields.
Exemple, I woulrd like to extract:
Application Name
Country
Mobile Os Version
etc...
How could I do that?
I can't change json format (I don't manage the app who send it to me...)
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
This should do the trick. Note that the names I used for the fields can of course be changed.
| makeresults
| eval message="Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"
| rex field=message "Country: (?<Country>\w+)"
| rex field=message "Application Name: (?<appName>[A-Z\/]+)"
| rex field=message "nMobile OS Version: (?<mobOsVer>[A-Z\/]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the example json string that you have cited above..does it come as one single event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks for your answer.
I'm not sure to understand your question.
I'll try to answer.
In fact I poll logs from an app in SaaS.
The json I cited is when a single user do an action.
But If many users did actions when i poll logs, the json will contains all events.
Is it ok for you?
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not quite sure but let us try this. In this case I will try to extract the 'id' field. Now, in this sample that you have provided, id has 2 distinct values, so if we try this <your search>| rex field=_raw "id\"+\:+\"(?<id>.*?)\"+" max_match=0|table id
you should ideally receive an id column with the 2 different id values as rows. Now, is that something similar to what you want? I have taken id as an example here but you want the same for different fields, like application name, country, OS etc?
