Splunk Search

expand json array to multiple events, then search constraints on the results

zachsisinst
Explorer

Hello, I've gone through a hundred of these types of posts and nothing is working for me. Here is the nested json array that I would like to split into a table of individual events, based on the computer.hardware.storage.device.partition{} and computer.general.name. Once I have these split into individual events, I would like to only put the 'boot' device event in the table.

{
    "computer": {
        "general": {
            "name": "woohoo-l3"
        },
        "hardware": {
            "storage": {
                "device": {
                    "partition": [
                        {
                            "name": "Macintosh HD (Boot Partition)",
                            "type": "boot",
                            "filevault_status": "Encrypted",
                            "filevault_percent": "100",
                        },
                        {
                            "name": "Recovery",
                            "type": "other",
                            "filevault_status": "Not Encrypted",
                            "filevault_percent": "0",
                        }
                    ]
                }
            }
        }
    }
}

I have come up with the following search but it does not do what I want. I've been messing with this all day and I'm stuck. Any help would be greatly appreciated!

index=sec-inventory sourcetype="jamf-computers" "c02z912nlvdl" 
| spath
| rename computer.hardware.storage.device{}.partition.filevault_status as filevault_status 
| rename computer.hardware.storage.device.partition{}.type as partitiontype
| rename computer.general.name as computername 
| eval zipped=mvzip(filevault_status, partitiontype)
| mvexpand zipped
| eval zipped=split(zipped, ",")
| eval filevault_status=mvindex(zipped, 0)
| eval type=mvindex(zipped, 1)
| fillnull value="null" 
| table computername, partitiontype, filevault_status
| search partitiontype="boot" 

The table should look like

alt text

0 Karma

to4kawa
Ultra Champion
 index=sec-inventory sourcetype="jamf-computers" "c02z912nlvdl" 
| spath computer.hardware.storage.device.partition{} output=partition
| spath computer.general.name output=computername
| stats values(computername) as computername by partition
| spath input=partition
| fields - partition

this is enough.

0 Karma

zachsisinst
Explorer

this returns no results in the stats table.

0 Karma

vnravikumar
Champion

Hi

Please try the following and check whether your JSON data is a valid one.
Finally, add your filter.

| makeresults 
| eval temp=" {
     \"computer\": {
         \"general\": {
             \"name\": \"woohoo-l3\"
                                     },
         \"hardware\": {
             \"storage\": {
                 \"device\": {
                     \"partition\": [
                         {
                             \"name\": \"Macintosh HD (Boot Partition)\",
                             \"type\": \"boot\",
                             \"filevault_status\": \"Encrypted\",
                             \"filevault_percent\": \"100\"
                                                     },
                         {
                             \"name\": \"Recovery\",
                             \"type\": \"other\",
                             \"filevault_status\": \"Not Encrypted\",
                             \"filevault_percent\": \"0\"
                                                     }
                     ]
                 }
             }
         }
     }
 }" 
| spath input=temp 
| rename computer.hardware.storage.device.partition{}.filevault_status as filevault_status 
| rename computer.hardware.storage.device.partition{}.type as partitiontype 
| rename computer.general.name as computername 
| fields computername partitiontype filevault_status 
| eval temp=mvzip(partitiontype,filevault_status) 
| table computername temp 
| mvexpand temp 
| eval value=split(temp,",") 
| eval partitiontype=mvindex(value,0),filevault_status=mvindex(value,1) 
| table computername partitiontype filevault_status
0 Karma

zachsisinst
Explorer

I can't seem to get this to work still.

index=sec-inventory sourcetype="jamf-computers" 
| spath 
| rename computer.hardware.storage.device.partition{}.filevault_status as filevault_status 
| rename computer.hardware.storage.device.partition{}.type as partitiontype 
| rename computer.general.name as computername 
| fields computername partitiontype filevault_status 
| eval temp=mvzip(partitiontype,filevault_status) 
| table computername temp 
| mvexpand temp 
| eval value=split(temp,",") 
| eval partitiontype=mvindex(value,0),filevault_status=mvindex(value,1) 
| table computername partitiontype filevault_status
0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...