I'm indexing some JSON data that describes an AWS security group. Inside this JSON are nested pairs of port combinations (so a "from port" and a "to port" field) that are paired up with a set of allowed IP addresses. These JSON blobs can contain multiple sets of port pairs, with an arbitrary number of their own unique IP addresses.
I'm attempting to take this JSON data and separate out results into their IP, and port pairs into a table.
I've attempt the following search, which does properly expand my results to return three events for the three separate pairs of ports (22, 8301, 8301 for the below example), but now I'm stuck trying to separate out the IPs to match up properly as well.
| rename rules{}.to_port as to_port, rules{}.from_port as from_port, rules{}.grants{}.cidr_ip as cidr_ip
| eval a = mvzip(from_port,to_port,"|")
| mvexpand a
| rex field=a "(?<from_port>[^\|]+)\|(?<to_port>[^\|]+)"
| table id,name,description,attach,cidr_ip,from_port,to_port
End result I'm looking for would be something like the below table.
cidr_ip from_port to_port
1.1.1.1/32 22 22
1.1.1.2/32 22 22
10.9.0.0/16 8301 8301
Below is a below example of the JSON data.
{
"instances": [
{
"id": "i-03"
}
],
"region": "us-east-1",
"id": "sg-51111111",
"name": "example",
"description": "example",
"account_id": "111111111111",
"owner_id": "111111111111",
"rules_egress": [
{
"from_port": null,
"ipRanges": "",
"grants": [
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "0.0.0.0/0"
}
],
"groups": "",
"ip_protocol": "-1",
"to_port": null
}
],
"vpc_id": "vpc-7132332321a",
"tags": {},
"rules": [
{
"from_port": "22",
"ipRanges": "",
"grants": [
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "1.1.1.7/32"
},
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "1.1.1.1/32"
},
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "1.1.1.2/32"
},
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "1.1.1.3/32"
},
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "1.1.1.4/32"
},
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "1.1.1.5/32"
},
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "1.1.1.6/32"
}
],
"groups": "",
"ip_protocol": "tcp",
"to_port": "22"
},
{
"from_port": "8301",
"ipRanges": "",
"grants": [
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "10.9.0.0/16"
}
],
"groups": "",
"ip_protocol": "udp",
"to_port": "8301"
},
{
"from_port": "8301",
"ipRanges": "",
"grants": [
{
"owner_id": null,
"name": null,
"group_id": null,
"cidr_ip": "10.9.0.0/16"
}
],
"groups": "",
"ip_protocol": "tcp",
"to_port": "8301"
}
]
... View more