Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how do coul I read / tranform string in json data?

simounth
New Member
‎06-13-2018 05:32 AM

Hello,

I index some logs in JSON format.
I manage to access JSON field with:
search| spath "jsonfield" | search "jsondield"= "value"

My problem is on a specific field in my json:

Json exemple:
[{"source":"mySource","id":"2dc3cdf1-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:28:57.970Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"POLICY","message":"Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"}},{"source":"mySource","id":"33db40d4-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:29:08.190Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"SUCCESS","message":"SSO myKey \"myKey 1\""}}]

In result.message field, Splunk read string but i would like to exctract fields.

Exemple, I woulrd like to extract:
Application Name
Country
Mobile Os Version
etc...

How could I do that?

I can't change json format (I don't manage the app who send it to me...)

Regards

Tags (1)
0 Karma
Reply

poete
Builder
‎06-15-2018 05:50 AM

Hi.

This should do the trick. Note that the names I used for the fields can of course be changed.

| makeresults 
| eval message="Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"
| rex field=message "Country: (?<Country>\w+)"
| rex field=message "Application Name: (?<appName>[A-Z\/]+)"
| rex field=message "nMobile OS Version: (?<mobOsVer>[A-Z\/]+)"
0 Karma
Reply

Sukisen1981
Champion
‎06-15-2018 05:20 AM

the example json string that you have cited above..does it come as one single event?

0 Karma
Reply

simounth
New Member
‎06-15-2018 05:23 AM

Hello,

Thanks for your answer.
I'm not sure to understand your question.

I'll try to answer.
In fact I poll logs from an app in SaaS.

The json I cited is when a single user do an action.
But If many users did actions when i poll logs, the json will contains all events.

Is it ok for you?

Regards

0 Karma
Reply

Sukisen1981
Champion
‎06-15-2018 05:35 AM

I am not quite sure but let us try this. In this case I will try to extract the 'id' field. Now, in this sample that you have provided, id has 2 distinct values, so if we try this <your search>| rex field=_raw "id\"+\:+\"(?<id>.*?)\"+" max_match=0|table id
you should ideally receive an id column with the 2 different id values as rows. Now, is that something similar to what you want? I have taken id as an example here but you want the same for different fields, like application name, country, OS etc?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...