Hello,
I index some logs in JSON format.
I manage to access JSON field with:
search| spath "jsonfield" | search "jsondield"= "value"
My problem is on a specific field in my json:
Json exemple:
[{"source":"mySource","id":"2dc3cdf1-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:28:57.970Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"POLICY","message":"Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n"}},{"source":"mySource","id":"33db40d4-6e3c-11e8-8240-06db4a62e7d6","recorded":"2018-12-06T12:29:08.190Z","action":null,"actors":[{"type":"user","name":"username","id":null}],"resources":[],"client":null,"result":{"status":"SUCCESS","message":"SSO myKey \"myKey 1\""}}]
In result.message field, Splunk read string but i would like to exctract fields.
Exemple, I woulrd like to extract:
Application Name
Country
Mobile Os Version
etc...
How could I do that?
I can't change json format (I don't manage the app who send it to me...)
Regards
... View more