Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pulling new fields out of nested JSON data

joemiller
Path Finder
‎04-15-2021 12:35 PM

Looking at the example field below (part of a JSON event), I'm trying to figure out how at search time to pair up the corresponding values of properties.appliedConditionalAccessPolicies{}.displayName fields and properties.appliedConditionalAccessPolicies{}.result fields into new field/value pairs for each event (note that there can be multiple pairs per event - two in this example). So for example, in the event below, I would want to add two new field/value pairs to the event:

Require_Duo_MFA=success
Scammer_Blocked_IP_Addresses=notApplied

Any ideas how to approach that?

 

appliedConditionalAccessPolicies: [ [-]
       { [-]
         conditionsNotSatisfied: 0
         conditionsSatisfied: 3
         displayName: Require Duo MFA
         enforcedGrantControls: [ [+]
         ]
         enforcedSessionControls: [ [+]
         ]
         id: 11111111-1111-1111-1111-111111111111
         result: success
       }
       { [-]
         conditionsNotSatisfied: 8
         conditionsSatisfied: 3
         displayName: Scammer Blocked IP Addresses
         enforcedGrantControls: [ [+]
         ]
         enforcedSessionControls: [ [+]
         ]
         id: 22222222-2222-2222-2222-222222222222
         result: notApplied
       }
     ]

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 01:28 PM

First, extract (spath) the array elements as properties.appliedConditionalAccessPolicies objects, then mvexpand that to give you separate events for each object. Then extract (spath again) the two fields you want. Then replace the spaces in displayName with underscores. The create a new field based on the contents of displayName. Something along these lines.

| spath path=properties.appliedConditionalAccessPolicies output=appliedConditionalAccessPolicies 
| mvexpand appliedConditionalAccessPolicies 
| spath input=appliedConditionalAccessPolicies path=displayName output=displayName
| spath input=appliedConditionalAccessPolicies path=result output=result
| eval displayName=replace(displayName," ","_")
| eval {displayName}=result

 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 01:28 PM

First, extract (spath) the array elements as properties.appliedConditionalAccessPolicies objects, then mvexpand that to give you separate events for each object. Then extract (spath again) the two fields you want. Then replace the spaces in displayName with underscores. The create a new field based on the contents of displayName. Something along these lines.

| spath path=properties.appliedConditionalAccessPolicies output=appliedConditionalAccessPolicies 
| mvexpand appliedConditionalAccessPolicies 
| spath input=appliedConditionalAccessPolicies path=displayName output=displayName
| spath input=appliedConditionalAccessPolicies path=result output=result
| eval displayName=replace(displayName," ","_")
| eval {displayName}=result

 

Reply
Solved! Jump to solution

joemiller
Path Finder
‎04-15-2021 03:32 PM

Oh actually, should there be a command towards the end to "undo" the mvexpand? It looks like I still have separate events for each object..

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 04:24 PM

If you want to collect all the event together at the end, do something like this: before the mvexpand tag each event with a row number

| streamstats count as row

 Then at the end, gather them back

| stats values(*) as * by row

 

Reply
Solved! Jump to solution

joemiller
Path Finder
‎04-15-2021 04:28 PM

Great, thanks again!

0 Karma
Reply
Solved! Jump to solution

joemiller
Path Finder
‎04-15-2021 02:50 PM

Thank you very much! This is exactly what I was looking for. Worked perfectly. I did have to add a pair of curly brackets to the end of the path parameter in your first line, e.g.:

 

| spath path=properties.appliedConditionalAccessPolicies{} output=appliedConditionalAccessPolicies

 

 Anyways, I really appreciate the quick answer and the detailed explanation! Marking this as the answer.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...