I've recently onboarded data from Gsuite to Splunk. I'm currently trying to create a few queries, but I'm having problem creating queries do to the JSON format. I'm currently just trying to create a table with owner name, file name, time, etc. I've tried using the spath command and json formatting, but I can't seem to get the data in a table. Here's an example query
index="gsuite" sourcetype="gws:reports:drive"
| spath events{}.parameters{}.value.doc_title
but the field isn't created.
Here's the data in the events{}.parameters{}.value field
Here's a sample of the data.
{
"actor": {
"profileId": "Sample Text"
},
"etag": "\"Sample Text\"",
"events": [{
"name": "sheets_import_range",
"parameters": [{
"boolValue": true,
"name": "primary_event"
}, {
"name": "billable"
}, {
"name": "recipient_doc",
"value": "123456789"
}, {
"name": "doc_id",
"value": "123456789"
}, {
"name": "doc_type",
"value": "spreadsheet"
}, {
"name": "is_encrypted"
}, {
"name": "doc_title",
"value": "sampletext.xls"
}, {
"name": "visibility",
"value": "shared_externally"
}, {
"name": "actor_is_collaborator_account"
}, {
"name": "owner",
"value": "johndoe@gmail.com"
}, {
"name": "owner_is_shared_drive"
}, {
"name": "owner_is_team_drive"
}],
"type": "access"
}],
"id": {
"applicationName": "drive",
"customerId": "123456789",
"time": "2022-05-06T20:55:00.285Z",
"uniqueQualifier": "-123456789"
},
"kind": "admin#reports#activity"
}
I would like the data to look like this
owner doc_title doc_type visibility
johndoe@gmail.com. sampletext.xls spreadsheet shared_externally
... View more