Hello,
I index some logs in JSON format.
I manage to access JSON field with:
search| spath "jsonfield" | search "jsondield"= "value"
My problem is on a specific field in my json:
Json exemple:
[{"source":"mySource","id":"2dc3cdf1-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:28:57.970Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"POLICY","message":"Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"}},{"source":"mySource","id":"33db40d4-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:29:08.190Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"SUCCESS","message":"SSO myKey \"myKey 1\""}}]
In result.message field, Splunk read string but i would like to exctract fields.
Exemple, I woulrd like to extract:
Application Name
Country
Mobile Os Version
etc...
How could I do that?
I can't change json format (I don't manage the app who send it to me...)
Regards
Hi.
This should do the trick. Note that the names I used for the fields can of course be changed.
| makeresults
| eval message="Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"
| rex field=message "Country: (?<Country>\w+)"
| rex field=message "Application Name: (?<appName>[A-Z\/]+)"
| rex field=message "nMobile OS Version: (?<mobOsVer>[A-Z\/]+)"
the example json string that you have cited above..does it come as one single event?
Hello,
Thanks for your answer.
I'm not sure to understand your question.
I'll try to answer.
In fact I poll logs from an app in SaaS.
The json I cited is when a single user do an action.
But If many users did actions when i poll logs, the json will contains all events.
Is it ok for you?
Regards
I am not quite sure but let us try this. In this case I will try to extract the 'id' field. Now, in this sample that you have provided, id has 2 distinct values, so if we try this <your search>| rex field=_raw "id\"+\:+\"(?<id>.*?)\"+" max_match=0|table id
you should ideally receive an id column with the 2 different id values as rows. Now, is that something similar to what you want? I have taken id as an example here but you want the same for different fields, like application name, country, OS etc?