Hi All, I hope someone is able to help me resolve an issue that I have with some nested fields in JSON. I'd like to get the data out of the 'Parameters' field.
The data is in CSV format and the JSON is in the field AuditData. I use the spath command to get most of the fields with the following search:
index=auditlog |spath input=AuditData
Most of the fields get extracted, however there is nested json in the 'Parameters' field. An when I use the spath command it will create two new fields:
Parameters{}.Name
Parameters{}.Value
Parameters{}.Name contains, 'SentTo', 'ModerateMessageByUser' etc.
Parameters{}.Value contains the values belonging to the above names.
However what I'd like to get is a field with the Parameter Name and the accompanying Parameter Value e.g:
SentTo(Fieldname) this is a test (Value)
ModerateMessageByUser(Fieldname)John Doe (Value)
Hopefully this makes sense i've added an example event below:
"outlook.office365.com","7c06ff67-4425-4eb6-9df5-a7e9b0a07fa0","False","ExchangeAdmin","1/25/2019 1:54:50 PM","test@test.onmicrosoft.com","New-TransportRule","{""CreationTime"":""2019-01-25T13:54:50"",""Id"":""4f438b66-64b2-4291-0dec-08d682ccad1c"",""Operation"":""New-TransportRule"",""OrganizationId"":""f2b20553-47ca-41c0-9766-fba93daf6cf1"",""RecordType"":1,""ResultStatus"":""True"",""UserKey"":""1003200036269B2E"",""UserType"":2,""Version"":1,""Workload"":""Exchange"",""ClientIP"":""1.1.1:42796"",""ObjectId"":"""",""UserId"":""test@test.onmicrosoft.com"",""ExternalAccess"":false,""OrganizationName"":""test.onmicrosoft.com"",""OriginatingServer"":""AM6PR04MB6088 (15.20.1558.000)"",""Parameters"":[{""Name"":""SentTo"",""Value"":""this is a test""},{""Name"":""ModerateMessageByUser"",""Value"":""John Doe""},{""Name"":""Name"",""Value"":""Forward_Mails""},{""Name"":""StopRuleProcessing"",""Value"":""False""},{""Name"":""Mode"",""Value"":""Enforce""},{""Name"":""Comments"",""Value"":""""},{""Name"":""RuleErrorAction"",""Value"":""Ignore""},{""Name"":""SenderAddressLocation"",""Value"":""Header""}],""SessionId"":""8240fe03-0507-4794-99c3-e601796be84b""}","77","123","4f438b66-64b2-4291-0dec-08d682ccad1c","True","Unchanged"
... View more