Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how do coul I read / tranform string in json data?

simounth
New Member
‎06-13-2018 05:32 AM

Hello,

I index some logs in JSON format.
I manage to access JSON field with:
search| spath "jsonfield" | search "jsondield"= "value"

My problem is on a specific field in my json:

Json exemple:
[{"source":"mySource","id":"2dc3cdf1-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:28:57.970Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"POLICY","message":"Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"}},{"source":"mySource","id":"33db40d4-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:29:08.190Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"SUCCESS","message":"SSO myKey \"myKey 1\""}}]

In result.message field, Splunk read string but i would like to exctract fields.

Exemple, I woulrd like to extract:
Application Name
Country
Mobile Os Version
etc...

How could I do that?

I can't change json format (I don't manage the app who send it to me...)

Regards

Tags (1)
0 Karma
Reply

poete
Builder
‎06-15-2018 05:50 AM

Hi.

This should do the trick. Note that the names I used for the fields can of course be changed.

| makeresults 
| eval message="Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"
| rex field=message "Country: (?<Country>\w+)"
| rex field=message "Application Name: (?<appName>[A-Z\/]+)"
| rex field=message "nMobile OS Version: (?<mobOsVer>[A-Z\/]+)"
0 Karma
Reply

Sukisen1981
Champion
‎06-15-2018 05:20 AM

the example json string that you have cited above..does it come as one single event?

0 Karma
Reply

simounth
New Member
‎06-15-2018 05:23 AM

Hello,

Thanks for your answer.
I'm not sure to understand your question.

I'll try to answer.
In fact I poll logs from an app in SaaS.

The json I cited is when a single user do an action.
But If many users did actions when i poll logs, the json will contains all events.

Is it ok for you?

Regards

0 Karma
Reply

Sukisen1981
Champion
‎06-15-2018 05:35 AM

I am not quite sure but let us try this. In this case I will try to extract the 'id' field. Now, in this sample that you have provided, id has 2 distinct values, so if we try this <your search>| rex field=_raw "id\"+\:+\"(?<id>.*?)\"+" max_match=0|table id
you should ideally receive an id column with the 2 different id values as rows. Now, is that something similar to what you want? I have taken id as an example here but you want the same for different fields, like application name, country, OS etc?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...