Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field from an escaped string inside a nested JSON

z0r0
Engager
‎03-20-2022 09:58 PM

I'm looking for help in extracting "allowedSourceAddressPrefix" field/value from a JSON. This field is an escaped JSON string inside a nested JSON. Following is the JSON tree

- properties (extracted by splunk)

- /subscription/..../.../ (dynamic field)

- ports (escaped json)

- allowedSourceAddressPrefix (nested json)

The allowedSourceAddressPrefix takes values of single ipaddress (or) multiple ip addresses (or) *.

I have tried various rex patterns but failed in extracting the required field, Any help is appreciated. Following is the JSON that has the required field

 

 

properties: {
"User": "johndoe@contoso.com",
"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev": "{\"id\":\"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev\",\"ports\":[{\"number\":3389,\"allowedSourceAddressPrefix\":\"*\",\"endTimeUtc\":\"2022-03-21T1:50:39.1599446Z\"}]}",
"Justification": null
}

 

 

TIA

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 01:45 AM 
| rex "allowedSourceAddressPrefix\\\\\":\\\\\"(?<allowedSourceAddressPrefix>.*?)\\\\\""

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 01:45 AM 
| rex "allowedSourceAddressPrefix\\\\\":\\\\\"(?<allowedSourceAddressPrefix>.*?)\\\\\""
0 Karma
Reply
Solved! Jump to solution

z0r0
Engager
‎03-22-2022 09:49 AM

@ITWhisperer , the mistake I was doing is using | rex field=properties, your command worked for the actual data too. Thanks @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

z0r0
Engager
‎03-21-2022 11:33 AM

Thanks @ITWhisperer , but seems like I'm missing something to apply this when trying on actual data. The rex you've shared is working on makeresults(testing pattern). Can you pls correct me?

 

I'm trying this command

index=test_ms* "operationName.localizedValue"="Initiate JIT Network Access Policy" "eventName.localizedValue"="JIT network access request initiate started"
| rex field=properties "allowedSourceAddressPrefix\\\":\\\"(?<allowedSourceAddressPrefix>.*?)\\\""
| table allowedSourceAddressPrefix

 

And here's a sample data entry (actual raw data)

{
  "channels": "Operation",
  "eventName": {
    "value": "JIT network access request initiate started",
    "localizedValue": "JIT network access request initiate started"
  },
  "eventSource": {
    "value": "Security",
    "localizedValue": "Security"
  },
  "id": "/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev/events/04xxxxab-5ecc-46b0-abfa-6aacb1f550ac/ticks/63783455299xxxxxx3",
  "level": "Informational",
  "resourceGroupName": "apple-dev",
  "resourceProviderName": {
    "value": "Microsoft.Compute",
    "localizedValue": "Microsoft.Compute"
  },
  "resourceUri": "/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev",
  "operationName": {
    "value": "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",
    "localizedValue": "Initiate JIT Network Access Policy"
  },
  "properties": {
    "User": "johndoe@contoso.com",
    "/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev": "{\"id\":\"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev\",\"ports\":[{\"number\":3389,\"allowedSourceAddressPrefix\":\"*\",\"endTimeUtc\":\"2022-03-21T1:50:39.1599446Z\"}]}",
    "Justification": null
  },
  "status": {
    "value": "Accepted",
    "localizedValue": "Accepted"
  },
  "subStatus": {
    "value": null
  },
  "eventTimestamp": "2022-03-21T1:50:39.1599446Z",
  "submissionTimestamp": "2022-03-21T1:50:39.1599446Z",
  "subscriptionId": "3483b2ca-02cf-4ff6-92af-99326c8fac7f"
}

 

Thanks Again

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 11:41 AM

You don't have enough backslashes - you need 3 sets of 5 (like I showed in my example) - SPL requires an extra level of escaping for backslashes above what is required by regex101.com for example.

0 Karma
Reply
Solved! Jump to solution

z0r0
Engager
‎03-21-2022 12:03 PM

@ITWhisperer , just checked on regex101.com, the rex with three slashes works for the raw data i shared

 

the rex string i gave in regex101.com is 
/allowedSourceAddressPrefix\\\":\\\"(?<allowedSourceAddressPrefix>.*?)\\\"/gm

 

for the raw data i shared and it was able to match and get the desired value.

0 Karma
Reply
Solved! Jump to solution

z0r0
Engager
‎03-21-2022 12:44 PM

@ITWhisperer , Oh, you meant more than regex101, still unable to get results with 5 slashes. Am I missing something when translating the command from makeresults example to the actual data(any formatting stuff)?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...