How do I extract multiple fields from a json array...

user_303_user · ‎08-17-2022

I'm having issues properly extracting all the fields I'm after from some json. The logs are from a script that dumps all the AWS Security Groups into a json file that is ingested into Splunk by a UF. Below is a sanitized example of the output of one AWS Security Group. I've tried various iterations of spath with mvzip, mvindex, mvexpand. I've also tried to no avail using foreach. I'm stumped as to how to get Splunk to pull out each instance of CidrIp and Description inside the FromPort.

The end goal is to be able to search for a port or an address and get back all the corresponding info.

Example Search:
index=something FromPort=22
| table FromPort, CidrIp, Description, ToPort

Example Results
FromPort, CidrIp, Description, ToPort
22, 10.10.10.1, Server01 SSH rule, 22
22, 10.10.10.2, Server 002 inbound , 22
etc....

Right now my extracting the fields only results in the first field for each rule.

When working correctly it would look like this and would contain all the rules in the log.

| makeresults 
| eval _raw="{
    \"Description\": \"Rules for server\",
    \"GroupId\": \"sg-02d3a65ece83ba3a98\",
    \"GroupName\": \"Fake group name\",
    \"IpPermissions\": [
        {
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.59/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.24/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Some Host - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.11/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.136/32\",
                    \"Description\": \"SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.171/32\",
                    \"Description\": \"SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.37/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.174/32\",
                    \"Description\": \"Server003\"
                },
                {
                    \"CidrIp\": \"10.64.77.154/32\",
                    \"Description\": \"Server004\"
                },
                {
                    \"CidrIp\": \"10.226.109.245/32\",
                    \"Description\": \"Server to Server\"
                },
                {
                    \"CidrIp\": \"10.226.109.157/32\",
                    \"Description\": \"Another server to other stuff\"
                },
                {
                    \"CidrIp\": \"10.226.109.172/32\",
                    \"Description\": \"Another server to other stuff\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 49763,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.59/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.64.77.24/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.64.77.37/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.64.77.11/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.226.109.157/32\",
                    \"Description\": \"Over here to over there\"
                },
                {
                    \"CidrIp\": \"10.226.109.172/32\",
                    \"Description\": \"Over here to over there\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 35226,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - Netbios\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - DCOM\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - MS-DS\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 443,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - HTTPS\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 443,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": -1,
            \"IpProtocol\": \"icmp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.59/32\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                },
                {
                    \"CidrIp\": \"10.64.77.24/32\",
                    \"Description\": \"Ping\"
                },
                {
                    \"CidrIp\": \"10.64.77.11/32\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                },
                {
                    \"CidrIp\": \"10.64.77.37/32\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                },
                {
                    \"CidrIp\": \"10.226.109.157/32\",
                    \"Description\": \"Over here to over there\"
                },
                {
                    \"CidrIp\": \"10.226.109.172/32\",
                    \"Description\": \"Over here to over there\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": -1,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 1024,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - High Ports\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
        }
    ],
    \"IpPermissionsEgress\": [
        {
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"0.0.0.0/0\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
        }
    ],
    \"OwnerId\": \"223310898711\",
    \"VpcId\": \"vpc-192ac32be1b1a987c\"
}" 
| spath IpPermissions{}.FromPort output=a_FromPort 
| spath IpPermissions{}.IpProtocol output=a_IpProtocol 
| spath IpPermissions{}.IpRanges{}.CidrIp output=a_CidrIp 
| spath IpPermissions{}.IpRanges{}.Description output=a_Description 
| spath IpPermissions{}.ToPort output=a_ToPort 
| eval a_zipped=mvzip(mvzip(mvzip(mvzip(a_FromPort, a_IpProtocol), a_CidrIp), a_Description), a_ToPort) 
| mvexpand a_zipped 
| eval b_FromPort=mvindex(split(a_zipped,","),0), b_IpProtocol=mvindex(split(a_zipped,","),1), b_CidrIp=mvindex(split(a_zipped,","),2), b_Description=mvindex(split(a_zipped,","),3), b_ToPort=mvindex(split(a_zipped,","),4) 
| table b_FromPort, b_IpProtocol, b_CidrIp, b_Description, b_ToPort, a_zipped

ITWhisperer · ‎08-17-2022

First of all, thank you for posting a well constructed question with all the information needed

Try this:

| makeresults 
| eval _raw="{
    \"Description\": \"Rules for server\",
    \"GroupId\": \"sg-02d3a65ece83ba3a98\",
    \"GroupName\": \"Fake group name\",
    \"IpPermissions\": [
        {
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.59/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.24/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Some Host - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.11/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.136/32\",
                    \"Description\": \"SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.171/32\",
                    \"Description\": \"SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.37/32\",
                    \"Description\": \"Monitoring App - SSH\"
                },
                {
                    \"CidrIp\": \"10.64.77.174/32\",
                    \"Description\": \"Server003\"
                },
                {
                    \"CidrIp\": \"10.64.77.154/32\",
                    \"Description\": \"Server004\"
                },
                {
                    \"CidrIp\": \"10.226.109.245/32\",
                    \"Description\": \"Server to Server\"
                },
                {
                    \"CidrIp\": \"10.226.109.157/32\",
                    \"Description\": \"Another server to other stuff\"
                },
                {
                    \"CidrIp\": \"10.226.109.172/32\",
                    \"Description\": \"Another server to other stuff\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 49763,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.59/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.64.77.24/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.64.77.37/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.64.77.11/32\",
                    \"Description\": \"Monitoring - Other Ports\"
                },
                {
                    \"CidrIp\": \"10.226.109.157/32\",
                    \"Description\": \"Over here to over there\"
                },
                {
                    \"CidrIp\": \"10.226.109.172/32\",
                    \"Description\": \"Over here to over there\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 35226,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - Netbios\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - DCOM\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - MS-DS\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 443,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - HTTPS\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 443,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": -1,
            \"IpProtocol\": \"icmp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.59/32\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                },
                {
                    \"CidrIp\": \"10.64.77.24/32\",
                    \"Description\": \"Ping\"
                },
                {
                    \"CidrIp\": \"10.64.77.11/32\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                },
                {
                    \"CidrIp\": \"10.64.77.37/32\",
                    \"Description\": \"Monitoring Server  - ICMP\"
                },
                {
                    \"CidrIp\": \"10.226.109.157/32\",
                    \"Description\": \"Over here to over there\"
                },
                {
                    \"CidrIp\": \"10.226.109.172/32\",
                    \"Description\": \"Over here to over there\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": -1,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 1024,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.64.77.29/32\",
                    \"Description\": \"Server 007 - High Ports\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
        }
    ],
    \"IpPermissionsEgress\": [
        {
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"0.0.0.0/0\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
        }
    ],
    \"OwnerId\": \"223310898711\",
    \"VpcId\": \"vpc-192ac32be1b1a987c\"
}" 
| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions FromPort output=FromPort 
| spath input=IpPermissions IpProtocol output=IpProtocol 
| spath input=IpPermissions IpRanges{}.CidrIp output=CidrIp 
| spath input=IpPermissions IpRanges{}.Description output=Description 
| spath input=IpPermissions ToPort output=ToPort 
| eval a_zipped=mvzip(CidrIp, Description)
| mvexpand a_zipped 
| eval CidrIp=mvindex(split(a_zipped,","),0), Description=mvindex(split(a_zipped,","),1) 
| table FromPort, IpProtocol, CidrIp, Description, ToPort

user_303_user · ‎08-17-2022

Thank you so much for that. That worked perfectly for the initial example I provided. I ran those commands against a larger set of SG's and some corners cases appeared.

I tried various incantations coalese, fillnull and isnull but haven't figured out how to handle when there is no description.

You'll see port 22 has 5 instead of 7 results. Port 139 has a single blank-ish result. Port 445 has 4 instead of 7 results.

| makeresults 
| eval _raw="{
    \"Description\": \"Another SG Example\",
    \"GroupId\": \"sg-0b3332aaac8fceeb0\",
    \"GroupName\": \"AWS SG Example\",
    \"IpPermissions\": [
        {
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.0.0/16\",
					\"Description\": \"A different group os servers\"
                },
                {
                    \"CidrIp\": \"10.14.111.136/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.171/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 49152,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.157/32\"
                },
                {
                    \"CidrIp\": \"10.14.110.0/24\"
                },
                {
                    \"CidrIp\": \"10.14.111.171/32\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.157/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.136/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.171/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
        }
    ],
    \"IpPermissionsEgress\": [
        {
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"0.0.0.0/0\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
        }
    ],
    \"OwnerId\": \"549913499662\",
    \"VpcId\": \"vpc-b3h97aaa8b2fa8d2\"
}" 
| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions FromPort output=FromPort 
| spath input=IpPermissions IpProtocol output=IpProtocol 
| spath input=IpPermissions IpRanges{}.CidrIp output=CidrIp 
| spath input=IpPermissions IpRanges{}.Description output=Description 
| spath input=IpPermissions ToPort output=ToPort 
| eval a_zipped=mvzip(CidrIp, Description)
| mvexpand a_zipped 
| eval CidrIp=mvindex(split(a_zipped,","),0), Description=mvindex(split(a_zipped,","),1) 
| table FromPort, IpProtocol, CidrIp, Description, ToPort

yuanliu · ‎08-18-2022

@user_303_user You shouldn't need mvzip on well structured data. But you need to follow the actual hierarchy. This the code you want:

| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions
| spath input=IpPermissions path=IpRanges{}
| mvexpand IpRanges{}
| spath input=IpRanges{}
| table FromPort, IpProtocol, CidrIp, Description, ToPort

Your simulated data will result in

FromPort	IpProtocol	CidrIp	Description	ToPort
22	tcp	10.14.0.0/16	A different group os servers	22
22	tcp	10.14.111.136/32		22
22	tcp	10.14.111.171/32		22
22	tcp	10.14.111.24/32	Monitoring Service	22
22	tcp	10.14.111.11/32	Monitoring Service	22
22	tcp	10.14.111.37/32	Monitoring Service	22
22	tcp	10.14.111.59/32	Monitoring Service	22
49152	tcp	10.14.111.24/32	Monitoring Service	65535
49152	tcp	10.14.111.11/32	Monitoring Service	65535
49152	tcp	10.14.111.37/32	Monitoring Service	65535
49152	tcp	10.14.111.59/32	Monitoring Service	65535
139	tcp	10.14.111.157/32		139
139	tcp	10.14.110.0/24		139
139	tcp	10.14.111.171/32		139
135	tcp	10.14.111.24/32	Monitoring Service	135
135	tcp	10.14.111.11/32	Monitoring Service	135
135	tcp	10.14.111.37/32	Monitoring Service	135
135	tcp	10.14.111.59/32	Monitoring Service	135
445	tcp	10.14.111.157/32		445
445	tcp	10.14.111.136/32		445
445	tcp	10.14.111.171/32		445
445	tcp	10.14.111.24/32	Monitoring Service	445
445	tcp	10.14.111.11/32	Monitoring Service	445
445	tcp	10.14.111.37/32	Monitoring Service	445
445	tcp	10.14.111.59/32	Monitoring Service	445

ITWhisperer · ‎08-18-2022

| makeresults 
| eval _raw="{
    \"Description\": \"Another SG Example\",
    \"GroupId\": \"sg-0b3332aaac8fceeb0\",
    \"GroupName\": \"AWS SG Example\",
    \"IpPermissions\": [
        {
            \"FromPort\": 22,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.0.0/16\",
					\"Description\": \"A different group os servers\"
                },
                {
                    \"CidrIp\": \"10.14.111.136/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.171/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 22,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 49152,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 65535,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 139,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.157/32\"
                },
                {
                    \"CidrIp\": \"10.14.110.0/24\"
                },
                {
                    \"CidrIp\": \"10.14.111.171/32\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 139,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 135,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 135,
            \"UserIdGroupPairs\": []
        },
        {
            \"FromPort\": 445,
            \"IpProtocol\": \"tcp\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"10.14.111.157/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.136/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.171/32\"
                },
                {
                    \"CidrIp\": \"10.14.111.24/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.11/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.37/32\",
                    \"Description\": \"Monitoring Service\"
                },
                {
                    \"CidrIp\": \"10.14.111.59/32\",
                    \"Description\": \"Monitoring Service\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"ToPort\": 445,
            \"UserIdGroupPairs\": []
        }
    ],
    \"IpPermissionsEgress\": [
        {
            \"IpProtocol\": \"-1\",
            \"IpRanges\": [
                {
                    \"CidrIp\": \"0.0.0.0/0\"
                }
            ],
            \"Ipv6Ranges\": [],
            \"PrefixListIds\": [],
            \"UserIdGroupPairs\": []
        }
    ],
    \"OwnerId\": \"549913499662\",
    \"VpcId\": \"vpc-b3h97aaa8b2fa8d2\"
}" 
| spath IpPermissions{} output=IpPermissions
| mvexpand IpPermissions
| spath input=IpPermissions FromPort output=FromPort 
| spath input=IpPermissions IpProtocol output=IpProtocol  
| spath input=IpPermissions ToPort output=ToPort 
| spath input=IpPermissions IpRanges{} output=IpRanges
| mvexpand IpRanges
| spath input=IpRanges CidrIp output=CidrIp 
| spath input=IpRanges Description output=Description
| table FromPort, IpProtocol, CidrIp, Description, ToPort

How do I extract multiple fields from a json array?

field extraction

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio