I load JSON reports into Splunk and those reports have many arrays:
{
"analysis":{
"behavior":{
"processes":{
"process":[
{
"fileactivities":{
"fileCreated":{
"call":[
{
"path":"C:\\Windows\\a"
},
{
"path":"C:\\b"
}
]
}
}
}
]
}
}
}
}
When I search:
source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*"
I often like to show the matching data. I use a table to do so:
source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | table "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"
However, the issue is that this shows me all fileCreated of the matching event and not only the one starting with C:\Windows.
How do I filter that?
@joesecurity
Can you please try below search?
source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path
| mvexpand fileCreated_path
| search fileCreated_path="C:\\Windows\\*"
My Sample Search:
| makeresults
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}"
| kv
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path
| mvexpand fileCreated_path
| search fileCreated_path="C:\\Windows\\*"
@joesecurity
Can you please try below search?
source=test | rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path
| mvexpand fileCreated_path
| search fileCreated_path="C:\\Windows\\*"
My Sample Search:
| makeresults
| eval _raw="{\"analysis\":{\"behavior\":{\"processes\":{\"process\":[{\"fileactivities\":{\"fileCreated\":{\"call\":[{\"path\":\"C:\\\\Windows\\\\a\"},{\"path\":\"C:\\\\b\"}]}}}]}}}}"
| kv
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path
| mvexpand fileCreated_path
| search fileCreated_path="C:\\Windows\\*"
I tried this on my data but I don't get any results.
Is there a way to debug the call to see why it does not work?
@joesecurity
Did you get any results from the below search? Can you please confirm?
source=test | table "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path"
No results found in the visualization tab.
in Statistics tab?
I found it. There was a difference between the JSON format listed in the example and the actual data.
One last question, let us assume "call" has more elements, also "status". How can I list the "path" and "status" for all calls which have path="C:\Windows*?
For that, I have a magic for you.
| makeresults
| eval _raw=" {
\"analysis\":{
\"behavior\":{
\"processes\":{
\"process\":[
{
\"fileactivities\":{
\"fileCreated\":{
\"call\":[
{
\"path\":\"C:\\\\Windows\\\\a\",
\"status\":\"status1\"
},
{
\"path\":\"C:\\\\b\",
\"status\":\"status2\",
}
]
}
}
}
]
}
}
}
}"
| kv
| rename "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "analysis.behavior.processes.process{}.fileactivities.fileCreated.call{}.status" as fileCreated_status
| eval temp=mvzip(fileCreated_path,fileCreated_status)
| mvexpand temp
| eval fileCreated_path=mvindex(split(temp,","),0),fileCreated_status=mvindex(split(temp,","),1)
| search fileCreated_path="C:\\Windows\\*"
| table _time fileCreated_path fileCreated_status
Happy Splunking
Looks like your field is a multivalue field because the way through your JSON Object is the same for all fields called "path".
You can select a value from a multivalue field with the help of eval and mvindex:
source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | eval path=mvindex('behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path',0) | table path
Does this work for you?
This does not really help as I want to search all paths in all events but obviously only show the paths which matched.
Then you might use mvfilter to filter down your multivalue fields to what you need in the end? Like using a regex with mvfilter that filters out only paths that start with C:\\Windows*
.
I will give you an example. You can copy this and run it in your splunk:
| makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field | eval path=mvfilter(match(field,"C:\\\\Windows.*"))
Everything up to | makeresults | eval field="C:\\Windows\\a,F:\\Foo" | makemv delim="," field
should look like your result and the | eval path=mvfilter(match(field,"C:\\\\Windows.*"))
filters down the result to the C:\Windows* match.
@joesecurity
Can you please share sample event?
Added event data.