Splunk Search
Highlighted

How to search in a JSON array of hashes?

Explorer

I have a JSON entry as follows:

{ [-] 
        name:  change_user_access 
        parameters: [ [-] 
         { [+] 
         } 
         { [-] 
            name:  target_user 
            value:  me@corp.com 
         } 
         { [+] 
         } 
         { [+] 
         } 
         { [-] 
            name:  owner 
            value:  peter@corp.com 
         } 
         { [+] 
         } 
         { [+] 
         } 
         { [+] 
         } 
       ] 

I'm trying to find a way to get only those events where:

  • name == "changeuseraccess"
  • owner == "*@corp.com"
  • target_user != "*@corp.com"

The problem is that I don't know how to request something like: 'if name="owner" and value="*@corp.com" in the same hash'.
Any ideas?

0 Karma
Highlighted

Re: How to search in a JSON array of hashes?

Communicator

to be clear, do you wanna index only events with these fields or this is already indexed and you want to extract events that has these values?

0 Karma
Highlighted

Re: How to search in a JSON array of hashes?

Explorer

This is already indexed. I want to extract those events and create an alert.

0 Karma
Highlighted

Re: How to search in a JSON array of hashes?

SplunkTrust
SplunkTrust

See if the following helps. Please note I'm assuming you have separated events. If that's not the case please provide more information about your JSON.

| stats count | fields - count
| eval _raw = "{ [-] 
         name:  change_user_access 
         parameters: [ [-] 
          { [+] 
          } 
          { [-] 
             name:  target_user 
             value:  me@corp.com 
          } 
          { [+] 
          } 
          { [+] 
          } 
          { [-] 
             name:  owner 
             value:  peter@corp.com 
          } 
          { [+] 
          } 
          { [+] 
          } 
          { [+] 
          } 
        ] "
| regex _raw = "(?msi)name:  change_user_access.+name:  owner \s+value:  peter@corp.com"
| regex _raw != "(?msi)name:  target_user \s+value:  [^\s@]+@corp.com"

EDIT
Worst case simply extract your JSON with spath and filter with search or where afterwards.

0 Karma
Highlighted

Re: How to search in a JSON array of hashes?

Communicator

I do these type of alerting via field-extractions feature. I write my regex for each field I want to extract and use these fields for alert conditionals. Moreover, it is easier to maintain since all your extractions are saved in settings. Also, I personally don't like having lines of command in my Splunk searches.

1) in extracted field write your regex with lookahead/lookbehind and name it with appropriate name. in your case, you should look for existence of changeuseraccess then look for other fields extracted. Your regex should look like:

(?:Name\s\:)(?P<top_in_hierarcy>[^\-]+?)(?=\nParameters)

2) then you should do the similar for other fields you want to extract.
3) when setting up alert, add topinhierarcy field above to your search as "topinhierarcy=changeuseraccess" . It will bring only those events and you can work easier with details using other splunk features as well as regex.

0 Karma