I have a JSON entry as follows:
{ [-]
name: change_user_access
parameters: [ [-]
{ [+]
}
{ [-]
name: target_user
value: me@corp.com
}
{ [+]
}
{ [+]
}
{ [-]
name: owner
value: peter@corp.com
}
{ [+]
}
{ [+]
}
{ [+]
}
]
I'm trying to find a way to get only those events where:
The problem is that I don't know how to request something like: 'if name="owner" and value="*@corp.com" in the same hash'.
Any ideas?
I do these type of alerting via field-extractions feature. I write my regex for each field I want to extract and use these fields for alert conditionals. Moreover, it is easier to maintain since all your extractions are saved in settings. Also, I personally don't like having lines of command in my Splunk searches.
1) in extracted field write your regex with lookahead/lookbehind and name it with appropriate name. in your case, you should look for existence of change_user_access then look for other fields extracted. Your regex should look like:
(?:Name\s\:)(?P<top_in_hierarcy>[^\-]+?)(?=\nParameters)
2) then you should do the similar for other fields you want to extract.
3) when setting up alert, add top_in_hierarcy field above to your search as "top_in_hierarcy=change_user_access" . It will bring only those events and you can work easier with details using other splunk features as well as regex.
See if the following helps. Please note I'm assuming you have separated events. If that's not the case please provide more information about your JSON.
| stats count | fields - count
| eval _raw = "{ [-]
name: change_user_access
parameters: [ [-]
{ [+]
}
{ [-]
name: target_user
value: me@corp.com
}
{ [+]
}
{ [+]
}
{ [-]
name: owner
value: peter@corp.com
}
{ [+]
}
{ [+]
}
{ [+]
}
] "
| regex _raw = "(?msi)name: change_user_access.+name: owner \s+value: peter@corp.com"
| regex _raw != "(?msi)name: target_user \s+value: [^\s@]+@corp.com"
EDIT
Worst case simply extract your JSON with spath and filter with search or where afterwards.
to be clear, do you wanna index only events with these fields or this is already indexed and you want to extract events that has these values?
This is already indexed. I want to extract those events and create an alert.