For that, I have a magic for you.
| makeresults
| eval _raw=" {
\"analysis\":{
\"behavior\":{
\"processes\":{
\"process\":[
{
\"fileactivities\":{
\"fileCreated\":{
\"call\":[
{
\"path\":\"C:\\\\Windows\\\\a\",
\"status\":\"status1\"
},
{
\"path\":\"C:\\\\b\",
\"status\":\"status2\",
}
]
}
}
}
]
}
}
}
}"
| kv
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.status" as fileCreated_status
| eval temp=mvzip(fileCreated_path,fileCreated_status)
| mvexpand temp
| eval fileCreated_path=mvindex(split(temp,","),0),fileCreated_status=mvindex(split(temp,","),1)
| search fileCreated_path="C:\\Windows\\*"
| table _time fileCreated_path fileCreated_status
Happy Splunking
... View more