Splunk Search

How to achieve a field extraction from json events?

balu1211
Path Finder

Hi,

Could you help in extracting the fields from this json events.

sample json event1

{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":[{"data":"","action":"deny","selector":"","tag":"IPBLOCK",

sample jason event 2

{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":"tag":"IPBLOCK/ADAPTIVE/BURST" qualification(4) rate on category bucket(2,Page View Requests)),"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

output of the new field :

IPBLOCK

BURST

SUMMARY

 

Thanks..

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

When posting JSON data, please make sure to illustrate with conformant form.  None of the above samples is complete.  Whereas I can sort of consider the first sample an incomplete form, and just close missing brackets to form a conformant object, the second one is completely broken, and contradicts some implied structure I deduce from sample 1.  This is very unhelpful.

I will use the implied structure from sample 1.  Assuming the field "attackData.rules{}.tag" is already present. (Your numerous other posts kind of confirm this.)  As it comes from an array, it is multivalued.  So, use mvindex in mvmap iteration:

| eval ipblock = mvmap('attackData.rules{}.tag', mvindex(split('attackData.rules{}.tag', "/"), -1))

Let me throw in a bonus based on observation from your other related questions.  "attackData.rules{}.tag" do not all begin with IPBLOCK.  If this is the case and you only want those values starting with IPBLOCK, you can add mvfilter to it.

| eval ipblock = mvmap('attackData.rules{}.tag',
 mvindex(split(mvfilter(match('attackData.rules{}.tag', "^IPBLOCK\b")), "/"), -1))

 

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

When posting JSON data, please make sure to illustrate with conformant form.  None of the above samples is complete.  Whereas I can sort of consider the first sample an incomplete form, and just close missing brackets to form a conformant object, the second one is completely broken, and contradicts some implied structure I deduce from sample 1.  This is very unhelpful.

I will use the implied structure from sample 1.  Assuming the field "attackData.rules{}.tag" is already present. (Your numerous other posts kind of confirm this.)  As it comes from an array, it is multivalued.  So, use mvindex in mvmap iteration:

| eval ipblock = mvmap('attackData.rules{}.tag', mvindex(split('attackData.rules{}.tag', "/"), -1))

Let me throw in a bonus based on observation from your other related questions.  "attackData.rules{}.tag" do not all begin with IPBLOCK.  If this is the case and you only want those values starting with IPBLOCK, you can add mvfilter to it.

| eval ipblock = mvmap('attackData.rules{}.tag',
 mvindex(split(mvfilter(match('attackData.rules{}.tag', "^IPBLOCK\b")), "/"), -1))

 

Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...