I load JSON reports into Splunk and those reports have many arrays:
{
"analysis":{
"behavior":{
"processes":{
"process":[
{
"fileactivities":{
"fileCreated":{
"call":[
{
"path":"C:\\Windows\\a"
},
{
"path":"C:\\b"
}
]
}
}
}
]
}
}
}
}
When I search:
source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*"
I often like to show the matching data. I use a table to do so:
source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | table "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"
However, the issue is that this shows me all fileCreated of the matching event and not only the one starting with C:\Windows.
How do I filter that?
... View more