Splunk Search

How to pull data from Nested JSON Fields based on Field Value?

cfloquet
Path Finder

Hello, 

I'm working on creating automated alerts from an email security vendor and would like for them to only include the names of files/attachments which have the "attached" disposition within a nested JSON structure. The example below shows what I'm talking about in a limited/trimmed capacity:
messageParts: [
{
contentType: image/png
disposition: attached
filename: example.png
md5: xxyy
sha256: xxyy
}
{
contentType: text/html
disposition: inline
filename: text.html
md5: xxyy
sha256: xxyy
}
{
contentType: text/plain
disposition: inline
filename: text.txt
md5: xxyy
sha256: xxyy
}
]

Essentially I'd like to pull and store the respective "filename" and hash values for when the "disposition" field is "attached" but not "inline". I know this can likely be done using something like spath or mvfind, but I'm not entirely sure how to accomplish it and it's giving me fits. 

Anyone who can lend a helping hand would be handsomely rewarded with karma and many well wishes, thanks for taking the time to consider my question!

 

Labels (2)
Tags (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Here's an example using your base data. I added a 4th file, also attached to show that it works with possible multiple 'attached' files.

| makeresults
| eval _raw="{
 \"messageParts\": [
{
\"contentType\":\"image/png\",
\"disposition\":\"attached\",
\"filename\":\"example.png\",
\"md5\":\"xxyy\",
\"sha256\":\"xxyy\"
},
{
\"contentType\":\"text/html\",
\"disposition\":\"inline\",
\"filename\":\"text.html\",
\"md5\":\"xxyy\",
\"sha256\":\"xxyy\"
},
{
\"contentType\":\"text/plain\",
\"disposition\":\"inline\",
\"filename\":\"text.txt\",
\"md5\":\"xxyy\",
\"sha256\":\"xxyy\"
},
{
\"contentType\":\"text/plain\",
\"disposition\":\"attached\",
\"filename\":\"bla.txt\",
\"md5\":\"nnnn\",
\"sha256\":\"zzzz\"
}
]
}
"
| spath
| rename messageParts{}.* as *
| foreach 0 1 2 3 4 5 6 7 8 9 10 [ eval isAttach=if(mvindex(disposition, <<FIELD>>)="attached", 1, 0),  file=if(isAttach=1, mvappend(file, mvindex(filename, <<FIELD>>)), file), hash_md5=if(isAttach=1, mvappend(hash_md5, mvindex(md5, <<FIELD>>)), hash_md5), hash_sha256=if(isAttach=1, mvappend(hash_sha256, mvindex(sha256, <<FIELD>>)), hash_sha256) ]

Up to the spath is setting up the data example. The foreach 0 1 2... is simply creating a loop for 0-10, so supporting 11 possible filenames - add as many as you want. The returned file, hash_md5 and hash_sha256 will contain the data you need

 

cfloquet
Path Finder

I think this works great, havent tested fully yet but it looks right to me.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...