Splunk Search

Splunk searching nested json

blaku
Explorer

Hello
I use automatic translation because I am not good at English. sorry.

I took NVD 's CVE list (Json Feed) into Splunk.
That's index="testIndex" product_name = "openssl" "version_data" = "1.6.0" Searching with
There is no "1.6.0" in the version of openssl

I want to link product with version but it does not work as expected.
I can't get spath or mvexpand to extract the nested arrays properly
Someone help me.

 {
            "cve" : {
              "CVE_data_meta" : {
                "ID" : "CVE-2013-0169",
                "ASSIGNER" : "cve@mitre.org"
              },
              "affects" : {
                "vendor" : {
                  "vendor_data" : [ {
                    "vendor_name" : "openssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "*"
                          }, {
                            "version_value" : "0.9.8"
                          }, {
                            "version_value" : "0.9.8a"
                          }, {
                            "version_value" : "0.9.8b"
                          }, {
                            "version_value" : "0.9.8c"
                          }, {
                            "version_value" : "0.9.8d"
                          }, {
                            "version_value" : "0.9.8f"
                          }, {
                            "version_value" : "0.9.8g"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "oracle",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openjdk",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "-"
                          }, {
                            "version_value" : "1.6.0"
                          }, {
                            "version_value" : "1.7.0"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "polarssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "polarssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "0.10.0"
                          }, {
                            "version_value" : "0.10.1"
                          }, {
                            "version_value" : "0.11.0"
                          } ]
                        }
                      } ]
                    }
                  } ]
                }
              }
            },
            "publishedDate" : "2013-02-08T19:55Z",
            "lastModifiedDate" : "2018-08-09T01:29Z"
          }
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"cve@mitre.org\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions
Happy Splunking!

View solution in original post

vmacedo
Explorer

Here is another solution, but this one does not need mvzip, split or mvindex:

|makeresults |eval json="  {
              \"cve\" : {
                \"CVE_data_meta\" : {
                  \"ID\" : \"CVE-2013-0169\",
                  \"ASSIGNER\" : \"cve@mitre.org\"
                },
                \"affects\" : {
                  \"vendor\" : {
                    \"vendor_data\" : [ {
                      \"vendor_name\" : \"openssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"*\"
                            }, {
                              \"version_value\" : \"0.9.8\"
                            }, {
                              \"version_value\" : \"0.9.8a\"
                            }, {
                              \"version_value\" : \"0.9.8b\"
                            }, {
                              \"version_value\" : \"0.9.8c\"
                            }, {
                              \"version_value\" : \"0.9.8d\"
                            }, {
                              \"version_value\" : \"0.9.8f\"
                            }, {
                              \"version_value\" : \"0.9.8g\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"oracle\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openjdk\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"-\"
                            }, {
                              \"version_value\" : \"1.6.0\"
                            }, {
                              \"version_value\" : \"1.7.0\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"polarssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"polarssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"0.10.0\"
                            }, {
                              \"version_value\" : \"0.10.1\"
                            }, {
                              \"version_value\" : \"0.11.0\"
                            } ]
                          }
                        } ]
                      }
                    } ]
                  }
                }
              },
              \"publishedDate\" : \"2013-02-08T19:55Z\",
              \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
            }"
            |spath input=json output=product_data path=cve.affects.vendor.vendor_data{}.product{}.product_data{}
            |mvexpand product_data
            |spath input=product_data path=product_name
            |spath input=product_data output=version path=version.version_data{}.version_value
            |mvexpand version
            |table product_name, version

to4kawa
Ultra Champion

Great! thank you

0 Karma

afroz
Path Finder

Hi,

Map JSON logs to _json sourcetype.

In the props.conf file create stanza like below.

[_json]
KV_MODE= json

It will extract fields. So don't need to search nested json files. Just search fields you require.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"cve@mitre.org\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions
Happy Splunking!

blaku
Explorer

@renjith.nair
Hi
When I tried it worked without problem.
It is movement as expected.
Thank you very much

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...