Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract a field from an escaped string inside ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking for help in extracting "allowedSourceAddressPrefix" field/value from a JSON. This field is an escaped JSON string inside a nested JSON. Following is the JSON tree
- properties (extracted by splunk)
- /subscription/..../.../ (dynamic field)
- ports (escaped json)
- allowedSourceAddressPrefix (nested json)
The allowedSourceAddressPrefix takes values of single ipaddress (or) multiple ip addresses (or) *.
I have tried various rex patterns but failed in extracting the required field, Any help is appreciated. Following is the JSON that has the required field
properties: {
"User": "johndoe@contoso.com",
"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev": "{\"id\":\"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev\",\"ports\":[{\"number\":3389,\"allowedSourceAddressPrefix\":\"*\",\"endTimeUtc\":\"2022-03-21T1:50:39.1599446Z\"}]}",
"Justification": null
}
TIA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex "allowedSourceAddressPrefix\\\\\":\\\\\"(?<allowedSourceAddressPrefix>.*?)\\\\\""- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex "allowedSourceAddressPrefix\\\\\":\\\\\"(?<allowedSourceAddressPrefix>.*?)\\\\\""- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer , the mistake I was doing is using | rex field=properties, your command worked for the actual data too. Thanks @ITWhisperer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer , but seems like I'm missing something to apply this when trying on actual data. The rex you've shared is working on makeresults(testing pattern). Can you pls correct me?
I'm trying this command
index=test_ms* "operationName.localizedValue"="Initiate JIT Network Access Policy" "eventName.localizedValue"="JIT network access request initiate started"
| rex field=properties "allowedSourceAddressPrefix\\\":\\\"(?<allowedSourceAddressPrefix>.*?)\\\""
| table allowedSourceAddressPrefix
And here's a sample data entry (actual raw data)
{
"channels": "Operation",
"eventName": {
"value": "JIT network access request initiate started",
"localizedValue": "JIT network access request initiate started"
},
"eventSource": {
"value": "Security",
"localizedValue": "Security"
},
"id": "/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev/events/04xxxxab-5ecc-46b0-abfa-6aacb1f550ac/ticks/63783455299xxxxxx3",
"level": "Informational",
"resourceGroupName": "apple-dev",
"resourceProviderName": {
"value": "Microsoft.Compute",
"localizedValue": "Microsoft.Compute"
},
"resourceUri": "/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev",
"operationName": {
"value": "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",
"localizedValue": "Initiate JIT Network Access Policy"
},
"properties": {
"User": "johndoe@contoso.com",
"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev": "{\"id\":\"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev\",\"ports\":[{\"number\":3389,\"allowedSourceAddressPrefix\":\"*\",\"endTimeUtc\":\"2022-03-21T1:50:39.1599446Z\"}]}",
"Justification": null
},
"status": {
"value": "Accepted",
"localizedValue": "Accepted"
},
"subStatus": {
"value": null
},
"eventTimestamp": "2022-03-21T1:50:39.1599446Z",
"submissionTimestamp": "2022-03-21T1:50:39.1599446Z",
"subscriptionId": "3483b2ca-02cf-4ff6-92af-99326c8fac7f"
}
Thanks Again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't have enough backslashes - you need 3 sets of 5 (like I showed in my example) - SPL requires an extra level of escaping for backslashes above what is required by regex101.com for example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer , just checked on regex101.com, the rex with three slashes works for the raw data i shared
the rex string i gave in regex101.com is
/allowedSourceAddressPrefix\\\":\\\"(?<allowedSourceAddressPrefix>.*?)\\\"/gm
for the raw data i shared and it was able to match and get the desired value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer , Oh, you meant more than regex101, still unable to get results with 5 slashes. Am I missing something when translating the command from makeresults example to the actual data(any formatting stuff)?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
