Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Only select matching JSON data

joesecurity
Engager
‎05-08-2019 01:10 PM

I load JSON reports into Splunk and those reports have many arrays:

{  
   "analysis":{  
      "behavior":{  
         "processes":{  
            "process":[  
               {  
                  "fileactivities":{  
                     "fileCreated":{  
                        "call":[  
                           {  
                              "path":"C:\\Windows\\a"
                           },
                           {  
                              "path":"C:\\b"
                           }
                        ]
                     }
                  }
               }
            ]
         }
      }
   }
}

When I search:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*"

I often like to show the matching data. I use a table to do so:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | table "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"

However, the issue is that this shows me all fileCreated of the matching event and not only the one starting with C:\Windows.

How do I filter that?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 01:27 AM

@joesecurity

Can you please try below search?

source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

My Sample Search:

| makeresults 
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 01:27 AM

@joesecurity

Can you please try below search?

source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"

My Sample Search:

| makeresults 
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path 
| mvexpand fileCreated_path 
| search fileCreated_path="C:\\Windows\\*"
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 02:04 AM

I tried this on my data but I don't get any results.

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 02:16 AM

Is there a way to debug the call to see why it does not work?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 03:08 AM

@joesecurity

Did you get any results from the below search? Can you please confirm?

 source=test | table "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path"
0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 03:29 AM

No results found in the visualization tab.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 03:31 AM

in Statistics tab?

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 03:42 AM

I found it. There was a difference between the JSON format listed in the example and the actual data.

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 03:52 AM

One last question, let us assume "call" has more elements, also "status". How can I list the "path" and "status" for all calls which have path="C:\Windows*?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2019 04:27 AM

For that, I have a magic for you. 

| makeresults 
| eval _raw=" {  
    \"analysis\":{  
       \"behavior\":{  
          \"processes\":{  
             \"process\":[  
                {  
                   \"fileactivities\":{  
                      \"fileCreated\":{  
                         \"call\":[  
                            {  
                               \"path\":\"C:\\\\Windows\\\\a\",
                               \"status\":\"status1\"
                                    },
                            {  
                               \"path\":\"C:\\\\b\",
                               \"status\":\"status2\",
                            }
                         ]
                      }
                   }
                }
             ]
          }
       }
    }
 }" 
| kv 
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.status" as fileCreated_status 
| eval temp=mvzip(fileCreated_path,fileCreated_status) 
| mvexpand temp 
| eval fileCreated_path=mvindex(split(temp,","),0),fileCreated_status=mvindex(split(temp,","),1) 
| search fileCreated_path="C:\\Windows\\*"
| table _time fileCreated_path fileCreated_status

Happy Splunking

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎05-09-2019 12:43 AM

Looks like your field is a multivalue field because the way through your JSON Object is the same for all fields called "path".

You can select a value from a multivalue field with the help of eval and mvindex:

source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | eval path=mvindex('behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path',0) | table path

Does this work for you?

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 12:52 AM

This does not really help as I want to search all paths in all events but obviously only show the paths which matched.

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎05-09-2019 01:16 AM

Then you might use mvfilter to filter down your multivalue fields to what you need in the end? Like using a regex with mvfilter that filters out only paths that start with C:\\Windows*.

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎05-09-2019 01:21 AM

I will give you an example. You can copy this and run it in your splunk:

| makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field | eval path=mvfilter(match(field,"C:\\\\Windows.*"))

Everything up to | makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field should look like your result and the | eval path=mvfilter(match(field,"C:\\\\Windows.*")) filters down the result to the C:\Windows* match.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-08-2019 09:42 PM

@joesecurity

Can you please share sample event?

0 Karma
Reply
Solved! Jump to solution

joesecurity
Engager
‎05-09-2019 12:16 AM

Added event data.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...