Splunk Search

How to achieve a field extraction from json events?

balu1211
Path Finder

Hi,

Could you help in extracting the fields from this json events.

sample json event1

{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":[{"data":"","action":"deny","selector":"","tag":"IPBLOCK",

sample jason event 2

{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":"tag":"IPBLOCK/ADAPTIVE/BURST" qualification(4) rate on category bucket(2,Page View Requests)),"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

output of the new field :

IPBLOCK

BURST

SUMMARY

 

Thanks..

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

When posting JSON data, please make sure to illustrate with conformant form.  None of the above samples is complete.  Whereas I can sort of consider the first sample an incomplete form, and just close missing brackets to form a conformant object, the second one is completely broken, and contradicts some implied structure I deduce from sample 1.  This is very unhelpful.

I will use the implied structure from sample 1.  Assuming the field "attackData.rules{}.tag" is already present. (Your numerous other posts kind of confirm this.)  As it comes from an array, it is multivalued.  So, use mvindex in mvmap iteration:

| eval ipblock = mvmap('attackData.rules{}.tag', mvindex(split('attackData.rules{}.tag', "/"), -1))

Let me throw in a bonus based on observation from your other related questions.  "attackData.rules{}.tag" do not all begin with IPBLOCK.  If this is the case and you only want those values starting with IPBLOCK, you can add mvfilter to it.

| eval ipblock = mvmap('attackData.rules{}.tag',
 mvindex(split(mvfilter(match('attackData.rules{}.tag', "^IPBLOCK\b")), "/"), -1))

 

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

When posting JSON data, please make sure to illustrate with conformant form.  None of the above samples is complete.  Whereas I can sort of consider the first sample an incomplete form, and just close missing brackets to form a conformant object, the second one is completely broken, and contradicts some implied structure I deduce from sample 1.  This is very unhelpful.

I will use the implied structure from sample 1.  Assuming the field "attackData.rules{}.tag" is already present. (Your numerous other posts kind of confirm this.)  As it comes from an array, it is multivalued.  So, use mvindex in mvmap iteration:

| eval ipblock = mvmap('attackData.rules{}.tag', mvindex(split('attackData.rules{}.tag', "/"), -1))

Let me throw in a bonus based on observation from your other related questions.  "attackData.rules{}.tag" do not all begin with IPBLOCK.  If this is the case and you only want those values starting with IPBLOCK, you can add mvfilter to it.

| eval ipblock = mvmap('attackData.rules{}.tag',
 mvindex(split(mvfilter(match('attackData.rules{}.tag', "^IPBLOCK\b")), "/"), -1))

 

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...