Solved: Re: Splunk searching nested json

blaku · ‎08-11-2018

Hello
I use automatic translation because I am not good at English. sorry.

I took NVD 's CVE list (Json Feed) into Splunk.
That's index="testIndex" product_name = "openssl" "version_data" = "1.6.0" Searching with
There is no "1.6.0" in the version of openssl

I want to link product with version but it does not work as expected.
I can't get spath or mvexpand to extract the nested arrays properly
Someone help me.

 {
            "cve" : {
              "CVE_data_meta" : {
                "ID" : "CVE-2013-0169",
                "ASSIGNER" : "cve@mitre.org"
              },
              "affects" : {
                "vendor" : {
                  "vendor_data" : [ {
                    "vendor_name" : "openssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "*"
                          }, {
                            "version_value" : "0.9.8"
                          }, {
                            "version_value" : "0.9.8a"
                          }, {
                            "version_value" : "0.9.8b"
                          }, {
                            "version_value" : "0.9.8c"
                          }, {
                            "version_value" : "0.9.8d"
                          }, {
                            "version_value" : "0.9.8f"
                          }, {
                            "version_value" : "0.9.8g"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "oracle",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openjdk",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "-"
                          }, {
                            "version_value" : "1.6.0"
                          }, {
                            "version_value" : "1.7.0"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "polarssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "polarssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "0.10.0"
                          }, {
                            "version_value" : "0.10.1"
                          }, {
                            "version_value" : "0.11.0"
                          } ]
                        }
                      } ]
                    }
                  } ]
                }
              }
            },
            "publishedDate" : "2013-02-08T19:55Z",
            "lastModifiedDate" : "2018-08-09T01:29Z"
          }

renjith_nair · ‎08-12-2018

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"cve@mitre.org\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions

Happy Splunking!

View solution in original post

vmacedo · ‎12-04-2019

Here is another solution, but this one does not need mvzip, split or mvindex:

|makeresults |eval json="  {
              \"cve\" : {
                \"CVE_data_meta\" : {
                  \"ID\" : \"CVE-2013-0169\",
                  \"ASSIGNER\" : \"cve@mitre.org\"
                },
                \"affects\" : {
                  \"vendor\" : {
                    \"vendor_data\" : [ {
                      \"vendor_name\" : \"openssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"*\"
                            }, {
                              \"version_value\" : \"0.9.8\"
                            }, {
                              \"version_value\" : \"0.9.8a\"
                            }, {
                              \"version_value\" : \"0.9.8b\"
                            }, {
                              \"version_value\" : \"0.9.8c\"
                            }, {
                              \"version_value\" : \"0.9.8d\"
                            }, {
                              \"version_value\" : \"0.9.8f\"
                            }, {
                              \"version_value\" : \"0.9.8g\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"oracle\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openjdk\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"-\"
                            }, {
                              \"version_value\" : \"1.6.0\"
                            }, {
                              \"version_value\" : \"1.7.0\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"polarssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"polarssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"0.10.0\"
                            }, {
                              \"version_value\" : \"0.10.1\"
                            }, {
                              \"version_value\" : \"0.11.0\"
                            } ]
                          }
                        } ]
                      }
                    } ]
                  }
                }
              },
              \"publishedDate\" : \"2013-02-08T19:55Z\",
              \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
            }"
            |spath input=json output=product_data path=cve.affects.vendor.vendor_data{}.product{}.product_data{}
            |mvexpand product_data
            |spath input=product_data path=product_name
            |spath input=product_data output=version path=version.version_data{}.version_value
            |mvexpand version
            |table product_name, version

to4kawa · ‎12-05-2019

Great! thank you

afroz · ‎08-12-2018

Hi,

Map JSON logs to _json sourcetype.

In the props.conf file create stanza like below.

[_json]
KV_MODE= json

It will extract fields. So don't need to search nested json files. Just search fields you require.

renjith_nair · ‎08-12-2018

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"cve@mitre.org\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions

Happy Splunking!

blaku · ‎08-14-2018

@renjith.nair
Hi
When I tried it worked without problem.
It is movement as expected.
Thank you very much

Splunk searching nested json

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk