I have nested json events indexed in Splunk. Here's an example of 2 (note confidence value differs):
Event 1:
{ [-]
email: hidden@hidden.com
filter: confidence >= 60
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Raw E1:
{"username": " hidden@hidden.com", "user_id": 8721, "title": "hidden", "integrations": [{"product": "nitro", "product_version": "9.3", "name": "nitro"}, {"product": "paloaltonetworks", "product_version": "3020", "name": "paloaltonetworks"}], "email": " hidden@hidden.com", "filter": "confidence >= 60", "id": 2087, "last_intelligence": "2017-02-21T11:54:39.260329+00:00"}
Event 2:
{ [-]
email: hidden@hidden.com
filter: confidence >= 50
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Raw E2
{"username": " hidden@hidden.com", "user_id": 8721, "title": "hidden", "integrations": [{"product": "nitro", "product_version": "9.3", "name": "nitro"}, {"product": "paloaltonetworks", "product_version": "3020", "name": "paloaltonetworks"}], "email": " hidden@hidden.com", "filter": "confidence >= 50", "id": 2087, "last_intelligence": "2017-02-21T11:54:39.260329+00:00"}
Fields are extracted into fields integration{}.name , integration{}.product , integration{}.product_version . i.e integration{}.product_version=9.3 , integration{}.product_version=3020 .
I want to have each nested value for each represent a single event for each "integration{}.*". If we imagine this as events:
Event 1A:
{ [-]
email: hidden@hidden.com
filter: confidence >= 60
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Event 1B:
{ [-]
email: hidden@hidden.com
filter: confidence >= 60
id: 2087
integrations: [ [-]
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Event 2A:
{ [-]
email: hidden@hidden.com
filter: confidence >= 50
id: 2087
integrations: [ [-]
{ [-]
name: nitro
product: nitro
product_version: 9.3
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
Event 2B:
{ [-]
email: hidden@hidden.com
filter: confidence >= 50
id: 2087
integrations: [ [-]
{ [-]
name: paloaltonetworks
product: paloaltonetworks
product_version: 3020
}
]
last_intelligence: 2017-02-21T11:54:39.260329+00:00
title: hidden
user_id: 8721
username: hidden@hidden.com
}
I am experimenting with spath and mvexpand searches but I am getting some odd results and behaviour using examples from previous answer threads (lots of duplicated events, mvfields, etc).
Ultimately I want to graph these events as tables like:
username, user_id, id, email,title,name,product,product_version,last_intelligence,filter
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, nitro, nitro, 9.3, 2017-02-21T11:54:39.260329+00:00, confidence >= 60
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, paloaltonetworks, paloaltonetworks, 3020, 2017-02-21T11:54:39.260329+00:00, confidence >= 60
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, nitro, nitro, 9.3, 2017-02-21T11:54:39.260329+00:00, confidence >= 50
hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, paloaltonetworks, paloaltonetworks, 3020, 2017-02-21T11:54:39.260329+00:00, confidence >= 50
One note which might be pertinent: all my events have the same timestamp (using DATETIME_CONFIG=CURRENT)
Can anyone give me any pointers? Thanks!
... View more