Splunk Search

How to spath or rename commands not extracting field / values?

bt149
Path Finder

I have a field called properties.requestbody.  I would like to have this field broken out based on the field and values paired.  I've tried with spath and no luck.  I've used and am using rename to extract the field / values in other parts of the logged events.  Not having luck with this field.  I think it has to do with the quotes but I'm not certain.  Thanks as always for the help and guidance.

"properties": {"requestbody": "{\"properties\":{\"description\":\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \",\"displayName\":\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\",\"metadata\":\"******\",\"mode\":\"Indexed\",\"parameters\":\"******\",\"policyRule\":\"******\",\"policyType\":\"Custom\"}}"

Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I am a little confused.  Your actual events should look like this:

{"properties": {"requestbody": "{\"properties\":{\"description\":\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \",\"displayName\":\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\",\"metadata\":\"******\",\"mode\":\"Indexed\",\"parameters\":\"******\",\"policyRule\":\"******\",\"policyType\":\"Custom\"}}"}}

Is this about right? (If the raw data is not conformant JSON, you can try to make it conformant, then use spath.) Splunk already gives you a field properties.requestbody, with this value:

{"properties":{"description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. ","displayName":"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL","metadata":"******","mode":"Indexed","parameters":"******","policyRule":"******","policyType":"Custom"}}

If the above is correct, all you need to do is to run spath against this field, i.e.,

 

 

| spath input=properties.requestbody

 

 

Using this, your sample data gives

properties.descriptionproperties.displayNameproperties.metadataproperties.modeproperties.parametersproperties.policyRuleproperties.policyType
Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc.COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL******Indexed************Custom

 

Emulation

This is the emulation I use to test

 

 

| makeresults
| fields - _time
| eval _raw = "{\"properties\": {\"requestbody\": \"{\\\"properties\\\":{\\\"description\\\":\\\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \\\",\\\"displayName\\\":\\\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\\\",\\\"metadata\\\":\\\"******\\\",\\\"mode\\\":\\\"Indexed\\\",\\\"parameters\\\":\\\"******\\\",\\\"policyRule\\\":\\\"******\\\",\\\"policyType\\\":\\\"Custom\\\"}}\"}}"
``` data emulation above ```
| spath

 

 

 

0 Karma

bt149
Path Finder

Don't be confused, my events look like how I posted and I believe that along w/ the quotes are causing the issue.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Your original post says "I have a field called properties.requestbody."  That is only possible if the event is actually what I mended.

Now, if the original event is indeed missing the left open curly bracket, and missing two closing missing brackets, you can "mend" it by simply adding them.

 

 

| eval _raw = replace(_raw, "(.*)", "{\1}}")
| spath
| spath input=properties.requestbody

 

 

Using SPL's builtin command would be much more robust than using rex to handle structured data.

Emulation

Here is an emulation to demonstrate:

 

| makeresults
| fields - _time
| eval _raw = "\"properties\": {\"requestbody\": \"{\\\"properties\\\":{\\\"description\\\":\\\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \\\",\\\"displayName\\\":\\\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\\\",\\\"metadata\\\":\\\"******\\\",\\\"mode\\\":\\\"Indexed\\\",\\\"parameters\\\":\\\"******\\\",\\\"policyRule\\\":\\\"******\\\",\\\"policyType\\\":\\\"Custom\\\"}}\""
``` data emulation above ```

 

It gives the exact string in your OP

_raw
"properties": {"requestbody": "{\"properties\":{\"description\":\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \",\"displayName\":\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\",\"metadata\":\"******\",\"mode\":\"Indexed\",\"parameters\":\"******\",\"policyRule\":\"******\",\"policyType\":\"Custom\"}}"

Use replacement on it,

| makeresults
| fields - _time
| eval _raw = "\"properties\": {\"requestbody\": \"{\\\"properties\\\":{\\\"description\\\":\\\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \\\",\\\"displayName\\\":\\\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\\\",\\\"metadata\\\":\\\"******\\\",\\\"mode\\\":\\\"Indexed\\\",\\\"parameters\\\":\\\"******\\\",\\\"policyRule\\\":\\\"******\\\",\\\"policyType\\\":\\\"Custom\\\"}}\""
``` data emulation above ```
| eval _raw = replace(_raw, "(.*)", "{\1}}")

Then, you get the exact conformant JSON in my previous reply.

_raw
{"properties": {"requestbody": "{\"properties\":{\"description\":\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \",\"displayName\":\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\",\"metadata\":\"******\",\"mode\":\"Indexed\",\"parameters\":\"******\",\"policyRule\":\"******\",\"policyType\":\"Custom\"}}"}}
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk is fully capable of handling quotation marks in JSON events.  I believe we've demonstrated that.  The issue (as I see it) is the sample event is not valid JSON and the spath command will not process it.  AFAIK, none of the other JSON commands will work with invalid JSON, either.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bt149
Path Finder

I ended up using rex to get done what needed to be done.  Thanks for the help and guidance.

richgalloway
SplunkTrust
SplunkTrust

The spath command won't work with anything less than perfect JSON.  You can see this in the search log from the message "

 WARN  SPathCommand [22744 phase_1] - Some events are not in XML or JSON format.  Fields will not be extracted from these events.

 Adding {} around the event helped.

BTW, the rename command does not extract fields.  It merely changes the names of existing fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bt149
Path Finder

Thanks for the reply.  I don't see the WARN you posted.  I'm not expecting the "rename" cmd to do field extractions.

In these logged events there is another set of fields called identity.authorization.action and identity.authorization.scop.  Using the rename command I then get  two fields w/ corresponding values.

| rename identity.authorization.* AS *

     will produce action = "value"
     will produce scope = "value"

The difference is in the "identity" field the action and scope don't have quotes around the values where as the "properties.requestbody" field has values around all the fields and values.  Hope that makes sense.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The fields without quoted values will need a different regex.  How different depends on what values are expected and how Splunk can know where the value ends.  It may be possible to craft a regex that extracts either quoted or unquoted values, but that still means knowing where the value ends.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bt149
Path Finder

The fields w/out quotes I have no issues with, just the one with the quotes.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...