Parsing JSON file

franciscof · ‎05-20-2020

Hi everyone, I'm having an issue with a JSON file. The thing is, I have to extract some evaluations that the file does, but those are multiple evaluations inside the "STATUS" field (see screenshot attached) so this field has the two possible STATUS INSIDE (COMPLIANT and NON_COMPLIANT) and when I filter to get only one, the filter does not work and I keep getting both results back when I run my search. Here I leave the query that I've been testing and attached you'll find a sample of the issue.

index=aws eventSource="config.amazonaws.com" additionalEventData.managedRuleIdentifier="S3_BUCKET_PUBLIC_READ_PROHIBITED" awsRegion="us-east-1" recipientAccountId="149676245134" | rename requestParameters.evaluations{}.complianceResourceId as S3 requestParameters.evaluations{}.complianceType as STATUS, recipientAccountId as ACCOUNT
| spath output=requestParameters.evaluations path=STATUS
| search STATUS=NON_COMPLIANT
| table S3 STATUS ACCOUNT

Any idea of what I can do?

Thanks in advance to whoever has time to answer!

to4kawa · ‎05-23-2020

index=aws eventSource="config.amazonaws.com" additionalEventData.managedRuleIdentifier="S3_BUCKET_PUBLIC_READ_PROHIBITED" awsRegion="us-east-1" recipientAccountId="149676245134" 
| spath requestParameters.evaluations{} output=evaluations
| stats values(recipientAccountId) as ACCOUNT by evaluations
| spath input=evaluations
| rename complianceResourceId as S3, complianceType as STATUS
| search STATUS=NON_COMPLIANT
| table S3 STATUS ACCOUNT

How about this?

Parsing JSON file

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases