Hi,
Could you help in extracting the fields from this json events.
sample json event1
{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":[{"data":"","action":"deny","selector":"","tag":"IPBLOCK",
sample jason event 2
{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":"tag":"IPBLOCK/ADAPTIVE/BURST" qualification(4) rate on category bucket(2,Page View Requests)),"tag":"IPBLOCK/ADAPTIVE/SUMMARY"
output of the new field :
IPBLOCK
BURST
SUMMARY
Thanks..
When posting JSON data, please make sure to illustrate with conformant form. None of the above samples is complete. Whereas I can sort of consider the first sample an incomplete form, and just close missing brackets to form a conformant object, the second one is completely broken, and contradicts some implied structure I deduce from sample 1. This is very unhelpful.
I will use the implied structure from sample 1. Assuming the field "attackData.rules{}.tag" is already present. (Your numerous other posts kind of confirm this.) As it comes from an array, it is multivalued. So, use mvindex in mvmap iteration:
| eval ipblock = mvmap('attackData.rules{}.tag', mvindex(split('attackData.rules{}.tag', "/"), -1))
Let me throw in a bonus based on observation from your other related questions. "attackData.rules{}.tag" do not all begin with IPBLOCK. If this is the case and you only want those values starting with IPBLOCK, you can add mvfilter to it.
| eval ipblock = mvmap('attackData.rules{}.tag',
mvindex(split(mvfilter(match('attackData.rules{}.tag', "^IPBLOCK\b")), "/"), -1))
When posting JSON data, please make sure to illustrate with conformant form. None of the above samples is complete. Whereas I can sort of consider the first sample an incomplete form, and just close missing brackets to form a conformant object, the second one is completely broken, and contradicts some implied structure I deduce from sample 1. This is very unhelpful.
I will use the implied structure from sample 1. Assuming the field "attackData.rules{}.tag" is already present. (Your numerous other posts kind of confirm this.) As it comes from an array, it is multivalued. So, use mvindex in mvmap iteration:
| eval ipblock = mvmap('attackData.rules{}.tag', mvindex(split('attackData.rules{}.tag', "/"), -1))
Let me throw in a bonus based on observation from your other related questions. "attackData.rules{}.tag" do not all begin with IPBLOCK. If this is the case and you only want those values starting with IPBLOCK, you can add mvfilter to it.
| eval ipblock = mvmap('attackData.rules{}.tag',
mvindex(split(mvfilter(match('attackData.rules{}.tag', "^IPBLOCK\b")), "/"), -1))