Hi,
First time poster also fairly new to splunk though I am fluent in Python and decent at sql so apologies if this post is awkward.
I am dealing with json that looks like this:
Actor: [ [-]
{ [-]
ID: 8f71273c-c502-4a39-9607-6b272c9df
Type: 0
}
{ [-]
ID: email@myemail.com
Type: 5
}
{ [-]
ID: 1003200038F18F0E
Type: 3
}
]
I am trying to dig out the email with spath (first time using this) and i am not getting the results I want. Also getting weird results (for example there are 3 fields and if I use something like 100 it still returns data.
Here is my code any help would be super appreciated.
This code works but does not do what i want (it produces 3 events since it is just taking id). I just want email and I dont want to use a regex I just want to dig deeper into the json
index=mine Workload=AzureActiveDirectory ResultStatus=Succeeded Operation=UserLoggedIn
| bucket span=30s _time
| stats count dc(src) as mycount by "Actor{}.ID"
| where mycount>=3
| sort mycount desc
Here is the code that is not working that I want to work
index=mine Workload=AzureActiveDirectory ResultStatus=Succeeded Operation=UserLoggedIn
| bucket span=30s _time
| spath output=leon path=Actor{}.ID{1}
| stats count dc(src) as mycount by "Actor{}.ID{1}"
| where mycount>=3
| sort mycount desc
This returns no events.
I have played with various forms of .ID and it never works.
Please help!
... View more