Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Only select matching JSON data

joesecurity
Engager
‎05-08-2019 01:10 PM

I load JSON reports into Splunk and those reports have many arrays:

{  
   "analysis":{  
      "behavior":{  
         "processes":{  
            "process":[  
               {  
                  "fileactivities":{  
                     "fileCreated":{  
                        "call":[  
                           {  
                              "path":"C:\\Windows\\a"
                           },
                           {  
                              "path":"C:\\b"
                           }
                        ]
                     }
                  }
               }
            ]
         }
      }
   }
}

When I search:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*"

I often like to show the matching data. I use a table to do so:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | table "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"

However, the issue is that this shows me all fileCreated of the matching event and not only the one starting with C:\Windows.

How do I filter that?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 01:27 AM

@joesecurity

Can you please try below search?

source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

My Sample Search:

| makeresults 
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 01:27 AM

@joesecurity

Can you please try below search?

source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

My Sample Search:

| makeresults 
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 02:04 AM

I tried this on my data but I don't get any results.

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 02:16 AM

Is there a way to debug the call to see why it does not work?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 03:08 AM

@joesecurity

Did you get any results from the below search? Can you please confirm?

 source=test | table "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path"
0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 03:29 AM

No results found in the visualization tab.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 03:31 AM

in Statistics tab?

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 03:42 AM

I found it. There was a difference between the JSON format listed in the example and the actual data.

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 03:52 AM

One last question, let us assume "call" has more elements, also "status". How can I list the "path" and "status" for all calls which have path="C:\Windows*?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 04:27 AM

For that, I have a magic for you. 

| makeresults 
| eval _raw=" {  
    \"analysis\":{  
       \"behavior\":{  
          \"processes\":{  
             \"process\":[  
                {  
                   \"fileactivities\":{  
                      \"fileCreated\":{  
                         \"call\":[  
                            {  
                               \"path\":\"C:\\\\Windows\\\\a\",
                               \"status\":\"status1\"
                                    },
                            {  
                               \"path\":\"C:\\\\b\",
                               \"status\":\"status2\",
                            }
                         ]
                      }
                   }
                }
             ]
          }
       }
    }
 }" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.status" as fileCreated_status 
| eval temp=mvzip(fileCreated_path,fileCreated_status) 
| mvexpand temp 
| eval fileCreated_path=mvindex(split(temp,","),0),fileCreated_status=mvindex(split(temp,","),1) 
| search fileCreated_path="C:\\Windows\\*"
| table _time fileCreated_path fileCreated_status

Happy Splunking

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎05-09-2019 12:43 AM

Looks like your field is a multivalue field because the way through your JSON Object is the same for all fields called "path".

You can select a value from a multivalue field with the help of eval and mvindex:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | eval path=mvindex('behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path',0) | table path

Does this work for you?

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 12:52 AM

This does not really help as I want to search all paths in all events but obviously only show the paths which matched.

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎05-09-2019 01:16 AM

Then you might use mvfilter to filter down your multivalue fields to what you need in the end? Like using a regex with mvfilter that filters out only paths that start with C:\\Windows*.

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎05-09-2019 01:21 AM

I will give you an example. You can copy this and run it in your splunk:

| makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field | eval path=mvfilter(match(field,"C:\\\\Windows.*"))

Everything up to | makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field should look like your result and the | eval path=mvfilter(match(field,"C:\\\\Windows.*")) filters down the result to the C:\Windows* match.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-08-2019 09:42 PM

@joesecurity

Can you please share sample event?

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 12:16 AM

Added event data.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...