Splunk Search
Highlighted

how do I table common nested json keys that have uncommon parent json keys?

Path Finder

I have the following JSON event that I'm indexing in splunk:

{
    "plugins": {
        "Redirection": {
            "pluginstatus": "active",
            "wpvulndb": {
                "popular": true,
                "vulnerabilities": [{
                    "vulnerablestatus": false,
                    "title": "Redirection 2.3.3 - view/admin/item.php URL H&ling Reflected XSS",
                    "created_at": "2014-08-01T10:59:06.000Z",
                    "updated_at": "2015-05-15T13:48:24.000Z",
                    "vuln_type": "XSS",
                    "references": {},
                    "published_date": null,
                    "fixed_in": "2.3.4",
                    "id": 7001
                }, {
                    "vulnerablestatus": false,
                    "title": "Redirection - view/admin/log_item.php Non-existent Posts Referer HTTP Header XSS",
                    "created_at": "2014-08-01T10:59:06.000Z",
                    "updated_at": "2015-05-15T13:48:24.000Z",
                    "vuln_type": "XSS",
                    "references": {
                        "cve": ["2011-4562"],
                        "secunia": ["46310"]
                    },
                    "published_date": null,
                    "fixed_in": "2.2.10",
                    "id": 7002
                }, {
                    "vulnerablestatus": false,
                    "title": "Redirection - wp-admin/tools.php id Parameter XSS",
                    "created_at": "2014-08-01T10:59:06.000Z",
                    "updated_at": "2015-05-15T13:48:24.000Z",
                    "vuln_type": "XSS",
                    "references": {
                        "secunia": ["45782"]
                    },
                    "published_date": null,
                    "fixed_in": "2.2.9",
                    "id": 7003
                }],
                "last_updated": "2018-01-30T07:26:00.000Z",
                "latest_version": "3.1.1"
            },
            "version": "2.6.6",
            "pluginpath": "redirection/redirection.php"
        },
        "Yoast SEO Premium": {
            "pluginstatus": "active",
            "wpvulndb": {
                "popular": false,
                "vulnerabilities": [{
                    "vulnerablestatus": false,
                    "title": "WordPress SEO by Yoast <= 2.0.1 - Cross-Site Scripting (XSS)",
                    "created_at": "2015-04-20T17:38:38.000Z",
                    "updated_at": "2015-10-01T08:11:16.000Z",
                    "vuln_type": "XSS",
                    "published_date": "2015-04-20T00:00:00.000Z",
                    "fixed_in": "2.1",
                    "id": 7913
                }],
                "last_updated": null,
                "latest_version": null
            },
            "version": "3.0.7",
            "pluginpath": "wordpress-seo-premium/wp-seo-premium.php"
        }
    }
}

if you notice, each 'plugin' has its own 'vulnerablestatus' and other common fields, however the plugin names are all unique. How would I create a table that would display each plugin name (in this case, "Redirection" and "Yoast SEO Premium") and its "vulnerablestatus" if its "vulnerablestatus"=true ? Ideally I dont want to have to reference each plugin when building the table. i.e. |table plugins.*.vulnerabilities{}.vulnerablestatus, plugins.*.vulnerabilities{}.title This search doesn't do what I want.

I would like each row to look like this:

pluginname | plugin vulnerability | vulnerabilitystatus
......................................................................................................
redirection   | "... HTTP Header XSS" | false 
redirection   | "... Parameter XSS"      | false 
Yoast SEO ... |" ... XSS"               | false
0 Karma