How to get ip objects from a Splunk list?

splunknewuser · ‎09-22-2022

Hello,

I have an output list like this one:

{
    "10.10.10.15": {
    "High": [
      {
        "name": "vu1",
        "nvt_id": "123",
        "port": "",
        "protocol": ""
      }
    ],
    "Medium": [],
    "Low": [],
    "Log": [],
    "False Positive": []
  },
  "10.10.10.24": {
    "High": [
      {
        "name": "vul",
        "nvt_id": "123",
        "port": "",
        "protocol": ""
      }
    ],
    "Medium": [],
    "Low": [],
    "Log": [],
    "False Positive": []
  }
}

I want to get All the IP address and extract the fields in each object.

splunknewuser · ‎09-29-2022

I tried to use rex to get the ip addresses:

rex "(?<IP_add>10\.([0-9]{1,3}.){2}[0-9]{1,3})" | table "IP_add".High{}.name

Is it possible to fetch the values of the array using the rex output like that:

rex "(?<ip_add>10\.([0-9]{1,3}.){2}[0-9]{1,3})" | table ip_add.High{}.name

Thank you

gcusello · ‎09-29-2022

Hi @splunknewuser,

if you ise IP-Add as field name, you have to contniue to use it, if you want a different field name, youcan rename it, but you cannot extract a field called IP_add and the in the table use a different one " ip_add.High{}.name".

then it isn't a good idea to have spaces or special chars (like . or {}) in field names.

Ciao.

Giuseppe

gcusello · ‎09-22-2022

Hi @splunknewuser,

did you tried with the spath command (https://docs.splunk.com/Documentation/SplunkCloud/9.0.2205/SearchReference/Spath)?

Ciao.

Giuseppe

splunknewuser · ‎09-29-2022

I tried it but the issue is that the ip has now key?

How to get ip objects from a Splunk list?

field extraction

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to get ip objects from a Splunk list?

field extraction

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming