Splunk Search

expand json array to multiple events, then search constraints on the results

zachsisinst
Explorer

Hello, I've gone through a hundred of these types of posts and nothing is working for me. Here is the nested json array that I would like to split into a table of individual events, based on the computer.hardware.storage.device.partition{} and computer.general.name. Once I have these split into individual events, I would like to only put the 'boot' device event in the table.

{
    "computer": {
        "general": {
            "name": "woohoo-l3"
        },
        "hardware": {
            "storage": {
                "device": {
                    "partition": [
                        {
                            "name": "Macintosh HD (Boot Partition)",
                            "type": "boot",
                            "filevault_status": "Encrypted",
                            "filevault_percent": "100",
                        },
                        {
                            "name": "Recovery",
                            "type": "other",
                            "filevault_status": "Not Encrypted",
                            "filevault_percent": "0",
                        }
                    ]
                }
            }
        }
    }
}

I have come up with the following search but it does not do what I want. I've been messing with this all day and I'm stuck. Any help would be greatly appreciated!

index=sec-inventory sourcetype="jamf-computers" "c02z912nlvdl" 
| spath
| rename computer.hardware.storage.device{}.partition.filevault_status as filevault_status 
| rename computer.hardware.storage.device.partition{}.type as partitiontype
| rename computer.general.name as computername 
| eval zipped=mvzip(filevault_status, partitiontype)
| mvexpand zipped
| eval zipped=split(zipped, ",")
| eval filevault_status=mvindex(zipped, 0)
| eval type=mvindex(zipped, 1)
| fillnull value="null" 
| table computername, partitiontype, filevault_status
| search partitiontype="boot" 

The table should look like

alt text

0 Karma

to4kawa
Ultra Champion
 index=sec-inventory sourcetype="jamf-computers" "c02z912nlvdl" 
| spath computer.hardware.storage.device.partition{} output=partition
| spath computer.general.name output=computername
| stats values(computername) as computername by partition
| spath input=partition
| fields - partition

this is enough.

0 Karma

zachsisinst
Explorer

this returns no results in the stats table.

0 Karma

vnravikumar
Champion

Hi

Please try the following and check whether your JSON data is a valid one.
Finally, add your filter.

| makeresults 
| eval temp=" {
     \"computer\": {
         \"general\": {
             \"name\": \"woohoo-l3\"
                                     },
         \"hardware\": {
             \"storage\": {
                 \"device\": {
                     \"partition\": [
                         {
                             \"name\": \"Macintosh HD (Boot Partition)\",
                             \"type\": \"boot\",
                             \"filevault_status\": \"Encrypted\",
                             \"filevault_percent\": \"100\"
                                                     },
                         {
                             \"name\": \"Recovery\",
                             \"type\": \"other\",
                             \"filevault_status\": \"Not Encrypted\",
                             \"filevault_percent\": \"0\"
                                                     }
                     ]
                 }
             }
         }
     }
 }" 
| spath input=temp 
| rename computer.hardware.storage.device.partition{}.filevault_status as filevault_status 
| rename computer.hardware.storage.device.partition{}.type as partitiontype 
| rename computer.general.name as computername 
| fields computername partitiontype filevault_status 
| eval temp=mvzip(partitiontype,filevault_status) 
| table computername temp 
| mvexpand temp 
| eval value=split(temp,",") 
| eval partitiontype=mvindex(value,0),filevault_status=mvindex(value,1) 
| table computername partitiontype filevault_status
0 Karma

zachsisinst
Explorer

I can't seem to get this to work still.

index=sec-inventory sourcetype="jamf-computers" 
| spath 
| rename computer.hardware.storage.device.partition{}.filevault_status as filevault_status 
| rename computer.hardware.storage.device.partition{}.type as partitiontype 
| rename computer.general.name as computername 
| fields computername partitiontype filevault_status 
| eval temp=mvzip(partitiontype,filevault_status) 
| table computername temp 
| mvexpand temp 
| eval value=split(temp,",") 
| eval partitiontype=mvindex(value,0),filevault_status=mvindex(value,1) 
| table computername partitiontype filevault_status
0 Karma
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...