- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search in a JSON array of hashes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search in a JSON array of hashes?
I have a JSON entry as follows:
{ [-]
name: change_user_access
parameters: [ [-]
{ [+]
}
{ [-]
name: target_user
value: me@corp.com
}
{ [+]
}
{ [+]
}
{ [-]
name: owner
value: peter@corp.com
}
{ [+]
}
{ [+]
}
{ [+]
}
]
I'm trying to find a way to get only those events where:
- name == "change_user_access"
- owner == "*@corp.com"
- target_user != "*@corp.com"
The problem is that I don't know how to request something like: 'if name="owner" and value="*@corp.com" in the same hash'.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do these type of alerting via field-extractions feature. I write my regex for each field I want to extract and use these fields for alert conditionals. Moreover, it is easier to maintain since all your extractions are saved in settings. Also, I personally don't like having lines of command in my Splunk searches.
1) in extracted field write your regex with lookahead/lookbehind and name it with appropriate name. in your case, you should look for existence of change_user_access then look for other fields extracted. Your regex should look like:
(?:Name\s\:)(?P<top_in_hierarcy>[^\-]+?)(?=\nParameters)
2) then you should do the similar for other fields you want to extract.
3) when setting up alert, add top_in_hierarcy field above to your search as "top_in_hierarcy=change_user_access" . It will bring only those events and you can work easier with details using other splunk features as well as regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if the following helps. Please note I'm assuming you have separated events. If that's not the case please provide more information about your JSON.
| stats count | fields - count
| eval _raw = "{ [-]
name: change_user_access
parameters: [ [-]
{ [+]
}
{ [-]
name: target_user
value: me@corp.com
}
{ [+]
}
{ [+]
}
{ [-]
name: owner
value: peter@corp.com
}
{ [+]
}
{ [+]
}
{ [+]
}
] "
| regex _raw = "(?msi)name: change_user_access.+name: owner \s+value: peter@corp.com"
| regex _raw != "(?msi)name: target_user \s+value: [^\s@]+@corp.com"
EDIT
Worst case simply extract your JSON with spath and filter with search or where afterwards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to be clear, do you wanna index only events with these fields or this is already indexed and you want to extract events that has these values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is already indexed. I want to extract those events and create an alert.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
