Hello, I've gone through a hundred of these types of posts and nothing is working for me. Here is the nested json array that I would like to split into a table of individual events, based on the computer.hardware.storage.device.partition{} and computer.general.name . Once I have these split into individual events, I would like to only put the 'boot' device event in the table.
{
"computer": {
"general": {
"name": "woohoo-l3"
},
"hardware": {
"storage": {
"device": {
"partition": [
{
"name": "Macintosh HD (Boot Partition)",
"type": "boot",
"filevault_status": "Encrypted",
"filevault_percent": "100",
},
{
"name": "Recovery",
"type": "other",
"filevault_status": "Not Encrypted",
"filevault_percent": "0",
}
]
}
}
}
}
}
I have come up with the following search but it does not do what I want. I've been messing with this all day and I'm stuck. Any help would be greatly appreciated!
index=sec-inventory sourcetype="jamf-computers" "c02z912nlvdl"
| spath
| rename computer.hardware.storage.device{}.partition.filevault_status as filevault_status
| rename computer.hardware.storage.device.partition{}.type as partitiontype
| rename computer.general.name as computername
| eval zipped=mvzip(filevault_status, partitiontype)
| mvexpand zipped
| eval zipped=split(zipped, ",")
| eval filevault_status=mvindex(zipped, 0)
| eval type=mvindex(zipped, 1)
| fillnull value="null"
| table computername, partitiontype, filevault_status
| search partitiontype="boot"
The table should look like
... View more