Splunk Search

How do I extract multiple fields from a json array?


I'm having issues properly extracting all the fields I'm after from some json.  The logs are from a script that dumps all the AWS Security Groups into a json file that is ingested into Splunk by a UF.  Below is a sanitized example of the output of one AWS Security Group.   I've tried various iterations of spath with mvzip, mvindex, mvexpand.  I've also tried to no avail using foreach.  I'm stumped as to how to get Splunk to pull out each instance of CidrIp and Description inside the FromPort.


The end goal is to be able to search for a port or an address and get back all the corresponding info.

Example Search:
index=something FromPort=22
| table FromPort, CidrIp, Description, ToPort

Example Results
FromPort, CidrIp, Description, ToPort
22,, Server01 SSH rule, 22
22,, Server 002 inbound , 22


Right now my extracting the fields only results in the first field for each rule.


When working correctly it would look like this and would contain all the rules in the log.




| makeresults 
| eval _raw="{
    \"Description\": \"Rules for server\",
    \"GroupId\": \"sg-02d3a65ece83ba3a98\",
    \"GroupName\": \"Fake group name\",
    \"IpPermissions\": [
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Some Host - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Server003\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Server004\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Server to Server\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Another server to other stuff\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Another server to other stuff\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
            \"FromPort\": 49763,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 35226,
            \"UserIdGroupPairs\": []
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - Netbios\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - DCOM\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - MS-DS\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
            \"FromPort\": 443,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - HTTPS\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 443,
            \"UserIdGroupPairs\": []
            \"FromPort\": -1,
            \"IpProtocol\": \"icmp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Ping\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": -1,
            \"UserIdGroupPairs\": []
            \"FromPort\": 1024,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - High Ports\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
    \"IpPermissionsEgress\": [
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
    \"OwnerId\": \"223310898711\",
    \"VpcId\": \"vpc-192ac32be1b1a987c\"
| spath IpPermissions{}.FromPort output=a_FromPort 
| spath IpPermissions{}.IpProtocol output=a_IpProtocol 
| spath IpPermissions{}.IpRanges{}.CidrIp output=a_CidrIp 
| spath IpPermissions{}.IpRanges{}.Description output=a_Description 
| spath IpPermissions{}.ToPort output=a_ToPort 
| eval a_zipped=mvzip(mvzip(mvzip(mvzip(a_FromPort, a_IpProtocol), a_CidrIp), a_Description), a_ToPort) 
| mvexpand a_zipped 
| eval b_FromPort=mvindex(split(a_zipped,","),0), b_IpProtocol=mvindex(split(a_zipped,","),1), b_CidrIp=mvindex(split(a_zipped,","),2), b_Description=mvindex(split(a_zipped,","),3), b_ToPort=mvindex(split(a_zipped,","),4) 
| table b_FromPort, b_IpProtocol, b_CidrIp, b_Description, b_ToPort, a_zipped



Labels (1)
Tags (2)
0 Karma


First of all, thank you for posting a well constructed question with all the information needed

Try this:

| makeresults 
| eval _raw="{
    \"Description\": \"Rules for server\",
    \"GroupId\": \"sg-02d3a65ece83ba3a98\",
    \"GroupName\": \"Fake group name\",
    \"IpPermissions\": [
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Some Host - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring App - SSH\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Server003\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Server004\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Server to Server\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Another server to other stuff\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Another server to other stuff\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
            \"FromPort\": 49763,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring - Other Ports\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 35226,
            \"UserIdGroupPairs\": []
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - Netbios\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - DCOM\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - MS-DS\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
            \"FromPort\": 443,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - HTTPS\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 443,
            \"UserIdGroupPairs\": []
            \"FromPort\": -1,
            \"IpProtocol\": \"icmp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Ping\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Over here to over there\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": -1,
            \"UserIdGroupPairs\": []
            \"FromPort\": 1024,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Server 007 - High Ports\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
    \"IpPermissionsEgress\": [
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
    \"OwnerId\": \"223310898711\",
    \"VpcId\": \"vpc-192ac32be1b1a987c\"
| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions FromPort output=FromPort 
| spath input=IpPermissions IpProtocol output=IpProtocol 
| spath input=IpPermissions IpRanges{}.CidrIp output=CidrIp 
| spath input=IpPermissions IpRanges{}.Description output=Description 
| spath input=IpPermissions ToPort output=ToPort 
| eval a_zipped=mvzip(CidrIp, Description)
| mvexpand a_zipped 
| eval CidrIp=mvindex(split(a_zipped,","),0), Description=mvindex(split(a_zipped,","),1) 
| table FromPort, IpProtocol, CidrIp, Description, ToPort
0 Karma


Thank you so much for that.  That worked perfectly for the initial example I provided.   I ran those commands against a larger set of SG's and some corners cases appeared.

I tried various incantations coalese, fillnull and isnull but haven't figured out how to handle when there is no description.  


You'll see port 22 has 5 instead of 7 results.  Port 139 has a single blank-ish result.  Port 445 has 4 instead of 7 results.


| makeresults 
| eval _raw="{
    \"Description\": \"Another SG Example\",
    \"GroupId\": \"sg-0b3332aaac8fceeb0\",
    \"GroupName\": \"AWS SG Example\",
    \"IpPermissions\": [
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
					\"Description\": \"A different group os servers\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
            \"FromPort\": 49152,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
    \"IpPermissionsEgress\": [
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
    \"OwnerId\": \"549913499662\",
    \"VpcId\": \"vpc-b3h97aaa8b2fa8d2\"
| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions FromPort output=FromPort 
| spath input=IpPermissions IpProtocol output=IpProtocol 
| spath input=IpPermissions IpRanges{}.CidrIp output=CidrIp 
| spath input=IpPermissions IpRanges{}.Description output=Description 
| spath input=IpPermissions ToPort output=ToPort 
| eval a_zipped=mvzip(CidrIp, Description)
| mvexpand a_zipped 
| eval CidrIp=mvindex(split(a_zipped,","),0), Description=mvindex(split(a_zipped,","),1) 
| table FromPort, IpProtocol, CidrIp, Description, ToPort


0 Karma


@user_303_user You shouldn't need mvzip on well structured data.  But you need to follow the actual hierarchy.  This the code you want:


| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions
| spath input=IpPermissions path=IpRanges{}
| mvexpand IpRanges{}
| spath input=IpRanges{}
| table FromPort, IpProtocol, CidrIp, Description, ToPort


Your simulated data will result in

22tcp10.14.0.0/16A different group os servers22
22tcp10.14.111.136/32 22
22tcp10.14.111.171/32 22
22tcp10.14.111.24/32Monitoring Service22
22tcp10.14.111.11/32Monitoring Service22
22tcp10.14.111.37/32Monitoring Service22
22tcp10.14.111.59/32Monitoring Service22
49152tcp10.14.111.24/32Monitoring Service65535
49152tcp10.14.111.11/32Monitoring Service65535
49152tcp10.14.111.37/32Monitoring Service65535
49152tcp10.14.111.59/32Monitoring Service65535
139tcp10.14.111.157/32 139
139tcp10.14.110.0/24 139
139tcp10.14.111.171/32 139
135tcp10.14.111.24/32Monitoring Service135
135tcp10.14.111.11/32Monitoring Service135
135tcp10.14.111.37/32Monitoring Service135
135tcp10.14.111.59/32Monitoring Service135
445tcp10.14.111.157/32 445
445tcp10.14.111.136/32 445
445tcp10.14.111.171/32 445
445tcp10.14.111.24/32Monitoring Service445
445tcp10.14.111.11/32Monitoring Service445
445tcp10.14.111.37/32Monitoring Service445
445tcp10.14.111.59/32Monitoring Service445
0 Karma

| makeresults 
| eval _raw="{
    \"Description\": \"Another SG Example\",
    \"GroupId\": \"sg-0b3332aaac8fceeb0\",
    \"GroupName\": \"AWS SG Example\",
    \"IpPermissions\": [
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
					\"Description\": \"A different group os servers\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
            \"FromPort\": 49152,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
                    \"CidrIp\": \"\",
                    \"Description\": \"Monitoring Service\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
    \"IpPermissionsEgress\": [
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                    \"CidrIp\": \"\"
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
    \"OwnerId\": \"549913499662\",
    \"VpcId\": \"vpc-b3h97aaa8b2fa8d2\"
| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions FromPort output=FromPort 
| spath input=IpPermissions IpProtocol output=IpProtocol  
| spath input=IpPermissions ToPort output=ToPort 
| spath input=IpPermissions IpRanges{} output=IpRanges
| mvexpand IpRanges
| spath input=IpRanges CidrIp output=CidrIp 
| spath input=IpRanges Description output=Description
| table FromPort, IpProtocol, CidrIp, Description, ToPort
0 Karma
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...