Solved: Re: Splunk searching nested json

blaku · ‎08-11-2018

Hello
I use automatic translation because I am not good at English. sorry.

I took NVD 's CVE list (Json Feed) into Splunk.
That's index="testIndex" product_name = "openssl" "version_data" = "1.6.0" Searching with
There is no "1.6.0" in the version of openssl

I want to link product with version but it does not work as expected.
I can't get spath or mvexpand to extract the nested arrays properly
Someone help me.

 {
            "cve" : {
              "CVE_data_meta" : {
                "ID" : "CVE-2013-0169",
                "ASSIGNER" : "cve@mitre.org"
              },
              "affects" : {
                "vendor" : {
                  "vendor_data" : [ {
                    "vendor_name" : "openssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "*"
                          }, {
                            "version_value" : "0.9.8"
                          }, {
                            "version_value" : "0.9.8a"
                          }, {
                            "version_value" : "0.9.8b"
                          }, {
                            "version_value" : "0.9.8c"
                          }, {
                            "version_value" : "0.9.8d"
                          }, {
                            "version_value" : "0.9.8f"
                          }, {
                            "version_value" : "0.9.8g"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "oracle",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openjdk",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "-"
                          }, {
                            "version_value" : "1.6.0"
                          }, {
                            "version_value" : "1.7.0"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "polarssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "polarssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "0.10.0"
                          }, {
                            "version_value" : "0.10.1"
                          }, {
                            "version_value" : "0.11.0"
                          } ]
                        }
                      } ]
                    }
                  } ]
                }
              }
            },
            "publishedDate" : "2013-02-08T19:55Z",
            "lastModifiedDate" : "2018-08-09T01:29Z"
          }

renjith_nair · ‎08-12-2018

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"cve@mitre.org\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

vmacedo · ‎12-04-2019

Here is another solution, but this one does not need mvzip, split or mvindex:

|makeresults |eval json="  {
              \"cve\" : {
                \"CVE_data_meta\" : {
                  \"ID\" : \"CVE-2013-0169\",
                  \"ASSIGNER\" : \"cve@mitre.org\"
                },
                \"affects\" : {
                  \"vendor\" : {
                    \"vendor_data\" : [ {
                      \"vendor_name\" : \"openssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"*\"
                            }, {
                              \"version_value\" : \"0.9.8\"
                            }, {
                              \"version_value\" : \"0.9.8a\"
                            }, {
                              \"version_value\" : \"0.9.8b\"
                            }, {
                              \"version_value\" : \"0.9.8c\"
                            }, {
                              \"version_value\" : \"0.9.8d\"
                            }, {
                              \"version_value\" : \"0.9.8f\"
                            }, {
                              \"version_value\" : \"0.9.8g\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"oracle\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openjdk\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"-\"
                            }, {
                              \"version_value\" : \"1.6.0\"
                            }, {
                              \"version_value\" : \"1.7.0\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"polarssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"polarssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"0.10.0\"
                            }, {
                              \"version_value\" : \"0.10.1\"
                            }, {
                              \"version_value\" : \"0.11.0\"
                            } ]
                          }
                        } ]
                      }
                    } ]
                  }
                }
              },
              \"publishedDate\" : \"2013-02-08T19:55Z\",
              \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
            }"
            |spath input=json output=product_data path=cve.affects.vendor.vendor_data{}.product{}.product_data{}
            |mvexpand product_data
            |spath input=product_data path=product_name
            |spath input=product_data output=version path=version.version_data{}.version_value
            |mvexpand version
            |table product_name, version

to4kawa · ‎12-05-2019

Great! thank you

afroz · ‎08-12-2018

Hi,

Map JSON logs to _json sourcetype.

In the props.conf file create stanza like below.

[_json]
KV_MODE= json

It will extract fields. So don't need to search nested json files. Just search fields you require.

renjith_nair · ‎08-12-2018

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"cve@mitre.org\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions

---
What goes around comes around. If it helps, hit it with Karma 🙂

blaku · ‎08-14-2018

@renjith.nair
Hi
When I tried it worked without problem.
It is movement as expected.
Thank you very much

Splunk searching nested json

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation