Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search in a JSON array of hashes?

jselvi
Explorer
‎06-09-2016 06:46 AM

I have a JSON entry as follows:

{ [-] 
        name:  change_user_access 
        parameters: [ [-] 
         { [+] 
         } 
         { [-] 
            name:  target_user 
            value:  me@corp.com 
         } 
         { [+] 
         } 
         { [+] 
         } 
         { [-] 
            name:  owner 
            value:  peter@corp.com 
         } 
         { [+] 
         } 
         { [+] 
         } 
         { [+] 
         } 
       ]

I'm trying to find a way to get only those events where:

  • name == "change_user_access"
  • owner == "*@corp.com"
  • target_user != "*@corp.com"

The problem is that I don't know how to request something like: 'if name="owner" and value="*@corp.com" in the same hash'.
Any ideas?

0 Karma
Reply

axl88
Communicator
‎06-09-2016 07:15 AM

I do these type of alerting via field-extractions feature. I write my regex for each field I want to extract and use these fields for alert conditionals. Moreover, it is easier to maintain since all your extractions are saved in settings. Also, I personally don't like having lines of command in my Splunk searches.

1) in extracted field write your regex with lookahead/lookbehind and name it with appropriate name. in your case, you should look for existence of change_user_access then look for other fields extracted. Your regex should look like:

(?:Name\s\:)(?P<top_in_hierarcy>[^\-]+?)(?=\nParameters)

2) then you should do the similar for other fields you want to extract.
3) when setting up alert, add top_in_hierarcy field above to your search as "top_in_hierarcy=change_user_access" . It will bring only those events and you can work easier with details using other splunk features as well as regex.

0 Karma
Reply

javiergn
Super Champion
‎06-09-2016 07:02 AM

See if the following helps. Please note I'm assuming you have separated events. If that's not the case please provide more information about your JSON.

| stats count | fields - count
| eval _raw = "{ [-] 
         name:  change_user_access 
         parameters: [ [-] 
          { [+] 
          } 
          { [-] 
             name:  target_user 
             value:  me@corp.com 
          } 
          { [+] 
          } 
          { [+] 
          } 
          { [-] 
             name:  owner 
             value:  peter@corp.com 
          } 
          { [+] 
          } 
          { [+] 
          } 
          { [+] 
          } 
        ] "
| regex _raw = "(?msi)name:  change_user_access.+name:  owner \s+value:  peter@corp.com"
| regex _raw != "(?msi)name:  target_user \s+value:  [^\s@]+@corp.com"

EDIT
Worst case simply extract your JSON with spath and filter with search or where afterwards.

0 Karma
Reply

axl88
Communicator
‎06-09-2016 06:51 AM

to be clear, do you wanna index only events with these fields or this is already indexed and you want to extract events that has these values?

0 Karma
Reply

jselvi
Explorer
‎06-09-2016 06:54 AM

This is already indexed. I want to extract those events and create an alert.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...