Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pull data from Nested JSON Fields based on Field Value?

cfloquet
Path Finder
‎09-14-2022 11:36 AM

Hello, 

I'm working on creating automated alerts from an email security vendor and would like for them to only include the names of files/attachments which have the "attached" disposition within a nested JSON structure. The example below shows what I'm talking about in a limited/trimmed capacity:
messageParts: [
{
contentType: image/png
disposition: attached
filename: example.png
md5: xxyy
sha256: xxyy
}
{
contentType: text/html
disposition: inline
filename: text.html
md5: xxyy
sha256: xxyy
}
{
contentType: text/plain
disposition: inline
filename: text.txt
md5: xxyy
sha256: xxyy
}
]

Essentially I'd like to pull and store the respective "filename" and hash values for when the "disposition" field is "attached" but not "inline". I know this can likely be done using something like spath or mvfind, but I'm not entirely sure how to accomplish it and it's giving me fits. 

Anyone who can lend a helping hand would be handsomely rewarded with karma and many well wishes, thanks for taking the time to consider my question!

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-14-2022 05:11 PM

Here's an example using your base data. I added a 4th file, also attached to show that it works with possible multiple 'attached' files.

| makeresults
| eval _raw="{
 \"messageParts\": [
{
\"contentType\":\"image/png\",
\"disposition\":\"attached\",
\"filename\":\"example.png\",
\"md5\":\"xxyy\",
\"sha256\":\"xxyy\"
},
{
\"contentType\":\"text/html\",
\"disposition\":\"inline\",
\"filename\":\"text.html\",
\"md5\":\"xxyy\",
\"sha256\":\"xxyy\"
},
{
\"contentType\":\"text/plain\",
\"disposition\":\"inline\",
\"filename\":\"text.txt\",
\"md5\":\"xxyy\",
\"sha256\":\"xxyy\"
},
{
\"contentType\":\"text/plain\",
\"disposition\":\"attached\",
\"filename\":\"bla.txt\",
\"md5\":\"nnnn\",
\"sha256\":\"zzzz\"
}
]
}
"
| spath
| rename messageParts{}.* as *
| foreach 0 1 2 3 4 5 6 7 8 9 10 [ eval isAttach=if(mvindex(disposition, <<FIELD>>)="attached", 1, 0),  file=if(isAttach=1, mvappend(file, mvindex(filename, <<FIELD>>)), file), hash_md5=if(isAttach=1, mvappend(hash_md5, mvindex(md5, <<FIELD>>)), hash_md5), hash_sha256=if(isAttach=1, mvappend(hash_sha256, mvindex(sha256, <<FIELD>>)), hash_sha256) ]

Up to the spath is setting up the data example. The foreach 0 1 2... is simply creating a loop for 0-10, so supporting 11 possible filenames - add as many as you want. The returned file, hash_md5 and hash_sha256 will contain the data you need

 

Reply

cfloquet
Path Finder
‎09-20-2022 11:06 AM

I think this works great, havent tested fully yet but it looks right to me.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...