Splunk Search

Splunk searching nested json

blaku
Explorer

Hello
I use automatic translation because I am not good at English. sorry.

I took NVD 's CVE list (Json Feed) into Splunk.
That's index="testIndex" product_name = "openssl" "version_data" = "1.6.0" Searching with
There is no "1.6.0" in the version of openssl

I want to link product with version but it does not work as expected.
I can't get spath or mvexpand to extract the nested arrays properly
Someone help me.

 {
            "cve" : {
              "CVE_data_meta" : {
                "ID" : "CVE-2013-0169",
                "ASSIGNER" : "[email protected]"
              },
              "affects" : {
                "vendor" : {
                  "vendor_data" : [ {
                    "vendor_name" : "openssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "*"
                          }, {
                            "version_value" : "0.9.8"
                          }, {
                            "version_value" : "0.9.8a"
                          }, {
                            "version_value" : "0.9.8b"
                          }, {
                            "version_value" : "0.9.8c"
                          }, {
                            "version_value" : "0.9.8d"
                          }, {
                            "version_value" : "0.9.8f"
                          }, {
                            "version_value" : "0.9.8g"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "oracle",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "openjdk",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "-"
                          }, {
                            "version_value" : "1.6.0"
                          }, {
                            "version_value" : "1.7.0"
                          } ]
                        }
                      } ]
                    }
                  }, {
                    "vendor_name" : "polarssl",
                    "product" : {
                      "product_data" : [ {
                        "product_name" : "polarssl",
                        "version" : {
                          "version_data" : [ {
                            "version_value" : "0.10.0"
                          }, {
                            "version_value" : "0.10.1"
                          }, {
                            "version_value" : "0.11.0"
                          } ]
                        }
                      } ]
                    }
                  } ]
                }
              }
            },
            "publishedDate" : "2013-02-08T19:55Z",
            "lastModifiedDate" : "2018-08-09T01:29Z"
          }
0 Karma
1 Solution

renjith_nair
Legend

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"[email protected]\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

vmacedo
Explorer

Here is another solution, but this one does not need mvzip, split or mvindex:

|makeresults |eval json="  {
              \"cve\" : {
                \"CVE_data_meta\" : {
                  \"ID\" : \"CVE-2013-0169\",
                  \"ASSIGNER\" : \"[email protected]\"
                },
                \"affects\" : {
                  \"vendor\" : {
                    \"vendor_data\" : [ {
                      \"vendor_name\" : \"openssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"*\"
                            }, {
                              \"version_value\" : \"0.9.8\"
                            }, {
                              \"version_value\" : \"0.9.8a\"
                            }, {
                              \"version_value\" : \"0.9.8b\"
                            }, {
                              \"version_value\" : \"0.9.8c\"
                            }, {
                              \"version_value\" : \"0.9.8d\"
                            }, {
                              \"version_value\" : \"0.9.8f\"
                            }, {
                              \"version_value\" : \"0.9.8g\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"oracle\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"openjdk\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"-\"
                            }, {
                              \"version_value\" : \"1.6.0\"
                            }, {
                              \"version_value\" : \"1.7.0\"
                            } ]
                          }
                        } ]
                      }
                    }, {
                      \"vendor_name\" : \"polarssl\",
                      \"product\" : {
                        \"product_data\" : [ {
                          \"product_name\" : \"polarssl\",
                          \"version\" : {
                            \"version_data\" : [ {
                              \"version_value\" : \"0.10.0\"
                            }, {
                              \"version_value\" : \"0.10.1\"
                            }, {
                              \"version_value\" : \"0.11.0\"
                            } ]
                          }
                        } ]
                      }
                    } ]
                  }
                }
              },
              \"publishedDate\" : \"2013-02-08T19:55Z\",
              \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
            }"
            |spath input=json output=product_data path=cve.affects.vendor.vendor_data{}.product{}.product_data{}
            |mvexpand product_data
            |spath input=product_data path=product_name
            |spath input=product_data output=version path=version.version_data{}.version_value
            |mvexpand version
            |table product_name, version

to4kawa
Ultra Champion

Great! thank you

0 Karma

afroz
Path Finder

Hi,

Map JSON logs to _json sourcetype.

In the props.conf file create stanza like below.

[_json]
KV_MODE= json

It will extract fields. So don't need to search nested json files. Just search fields you require.

0 Karma

renjith_nair
Legend

@blaku,

Try

|makeresults |eval json="  {
             \"cve\" : {
               \"CVE_data_meta\" : {
                 \"ID\" : \"CVE-2013-0169\",
                 \"ASSIGNER\" : \"[email protected]\"
               },
               \"affects\" : {
                 \"vendor\" : {
                   \"vendor_data\" : [ {
                     \"vendor_name\" : \"openssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"*\"
                           }, {
                             \"version_value\" : \"0.9.8\"
                           }, {
                             \"version_value\" : \"0.9.8a\"
                           }, {
                             \"version_value\" : \"0.9.8b\"
                           }, {
                             \"version_value\" : \"0.9.8c\"
                           }, {
                             \"version_value\" : \"0.9.8d\"
                           }, {
                             \"version_value\" : \"0.9.8f\"
                           }, {
                             \"version_value\" : \"0.9.8g\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"oracle\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"openjdk\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"-\"
                           }, {
                             \"version_value\" : \"1.6.0\"
                           }, {
                             \"version_value\" : \"1.7.0\"
                           } ]
                         }
                       } ]
                     }
                   }, {
                     \"vendor_name\" : \"polarssl\",
                     \"product\" : {
                       \"product_data\" : [ {
                         \"product_name\" : \"polarssl\",
                         \"version\" : {
                           \"version_data\" : [ {
                             \"version_value\" : \"0.10.0\"
                           }, {
                             \"version_value\" : \"0.10.1\"
                           }, {
                             \"version_value\" : \"0.11.0\"
                           } ]
                         }
                       } ]
                     }
                   } ]
                 }
               }
             },
             \"publishedDate\" : \"2013-02-08T19:55Z\",
             \"lastModifiedDate\" : \"2018-08-09T01:29Z\"
           }"
           |spath input=json output=product_name path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.product_name
           |spath input=json output=version path=cve.affects.vendor.vendor_data{}.product{}.product_data{}.version 
           |eval z=mvzip(product_name,version,"#")|table z| mvexpand z
           |eval s=split(z,"#")|eval Product=mvindex(s,0),Version=mvindex(s,1)|fields Product,Version
           |spath input=Version output=Versions path=version_data{}.version_value
           |table Product,Versions
           |mvexpand Versions
---
What goes around comes around. If it helps, hit it with Karma 🙂

blaku
Explorer

@renjith.nair
Hi
When I tried it worked without problem.
It is movement as expected.
Thank you very much

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...