how do coul I read / tranform string in json data?

simounth · ‎06-13-2018

Hello,

I index some logs in JSON format.
I manage to access JSON field with:
search| spath "jsonfield" | search "jsondield"= "value"

My problem is on a specific field in my json:

Json exemple:
[{"source":"mySource","id":"2dc3cdf1-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:28:57.970Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"POLICY","message":"Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"}},{"source":"mySource","id":"33db40d4-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:29:08.190Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"SUCCESS","message":"SSO myKey \"myKey 1\""}}]

In result.message field, Splunk read string but i would like to exctract fields.

Exemple, I woulrd like to extract:
Application Name
Country
Mobile Os Version
etc...

How could I do that?

I can't change json format (I don't manage the app who send it to me...)

Regards

poete · ‎06-15-2018

Hi.

This should do the trick. Note that the names I used for the fields can of course be changed.

| makeresults 
| eval message="Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"
| rex field=message "Country: (?<Country>\w+)"
| rex field=message "Application Name: (?<appName>[A-Z\/]+)"
| rex field=message "nMobile OS Version: (?<mobOsVer>[A-Z\/]+)"

Sukisen1981 · ‎06-15-2018

the example json string that you have cited above..does it come as one single event?

simounth · ‎06-15-2018

Hello,

Thanks for your answer.
I'm not sure to understand your question.

I'll try to answer.
In fact I poll logs from an app in SaaS.

The json I cited is when a single user do an action.
But If many users did actions when i poll logs, the json will contains all events.

Is it ok for you?

Regards

Sukisen1981 · ‎06-15-2018

I am not quite sure but let us try this. In this case I will try to extract the 'id' field. Now, in this sample that you have provided, id has 2 distinct values, so if we try this <your search>| rex field=_raw "id\"+\:+\"(?<id>.*?)\"+" max_match=0|table id
you should ideally receive an id column with the 2 different id values as rows. Now, is that something similar to what you want? I have taken id as an example here but you want the same for different fields, like application name, country, OS etc?

how do coul I read / tranform string in json data?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor