Solved: Re: Only select matching JSON data

joesecurity · ‎05-08-2019

I load JSON reports into Splunk and those reports have many arrays:

{  
   "analysis":{  
      "behavior":{  
         "processes":{  
            "process":[  
               {  
                  "fileactivities":{  
                     "fileCreated":{  
                        "call":[  
                           {  
                              "path":"C:\\Windows\\a"
                           },
                           {  
                              "path":"C:\\b"
                           }
                        ]
                     }
                  }
               }
            ]
         }
      }
   }
}

When I search:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*"

I often like to show the matching data. I use a table to do so:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | table "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"

However, the issue is that this shows me all fileCreated of the matching event and not only the one starting with C:\Windows.

How do I filter that?

kamlesh_vaghela · ‎05-09-2019

@joesecurity

Can you please try below search?

source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

My Sample Search:

| makeresults 
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

View solution in original post

kamlesh_vaghela · ‎05-09-2019

@joesecurity

Can you please try below search?

source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

My Sample Search:

| makeresults 
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

joesecurity · ‎05-09-2019

I tried this on my data but I don't get any results.

joesecurity · ‎05-09-2019

Is there a way to debug the call to see why it does not work?

kamlesh_vaghela · ‎05-09-2019

@joesecurity

Did you get any results from the below search? Can you please confirm?

 source=test | table "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path"

joesecurity · ‎05-09-2019

No results found in the visualization tab.

kamlesh_vaghela · ‎05-09-2019

in Statistics tab?

joesecurity · ‎05-09-2019

I found it. There was a difference between the JSON format listed in the example and the actual data.

joesecurity · ‎05-09-2019

One last question, let us assume "call" has more elements, also "status". How can I list the "path" and "status" for all calls which have path="C:\Windows*?

kamlesh_vaghela · ‎05-09-2019

For that, I have a magic for you.

| makeresults 
| eval _raw=" {  
    \"analysis\":{  
       \"behavior\":{  
          \"processes\":{  
             \"process\":[  
                {  
                   \"fileactivities\":{  
                      \"fileCreated\":{  
                         \"call\":[  
                            {  
                               \"path\":\"C:\\\\Windows\\\\a\",
                               \"status\":\"status1\"
                                    },
                            {  
                               \"path\":\"C:\\\\b\",
                               \"status\":\"status2\",
                            }
                         ]
                      }
                   }
                }
             ]
          }
       }
    }
 }" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.status" as fileCreated_status 
| eval temp=mvzip(fileCreated_path,fileCreated_status) 
| mvexpand temp 
| eval fileCreated_path=mvindex(split(temp,","),0),fileCreated_status=mvindex(split(temp,","),1) 
| search fileCreated_path="C:\\Windows\\*"
| table _time fileCreated_path fileCreated_status

Happy Splunking

tom_frotscher · ‎05-09-2019

Looks like your field is a multivalue field because the way through your JSON Object is the same for all fields called "path".

You can select a value from a multivalue field with the help of eval and mvindex:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | eval path=mvindex('behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path',0) | table path

Does this work for you?

joesecurity · ‎05-09-2019

This does not really help as I want to search all paths in all events but obviously only show the paths which matched.

tom_frotscher · ‎05-09-2019

Then you might use mvfilter to filter down your multivalue fields to what you need in the end? Like using a regex with mvfilter that filters out only paths that start with C:\\Windows*.

tom_frotscher · ‎05-09-2019

I will give you an example. You can copy this and run it in your splunk:

| makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field | eval path=mvfilter(match(field,"C:\\\\Windows.*"))

Everything up to | makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field should look like your result and the | eval path=mvfilter(match(field,"C:\\\\Windows.*")) filters down the result to the C:\Windows* match.

kamlesh_vaghela · ‎05-08-2019

@joesecurity

Can you please share sample event?

joesecurity · ‎05-09-2019

Added event data.

Only select matching JSON data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation

Only select matching JSON data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!