SBN

SPL Tricks: Dealing with Nested Name-Value Pairs in JSON

JSON is a fantastic logging format and Splunk has built in support for it. However, when dealing with JSON logs, there’s a certain field structure that can be a little tricky to manage:

Copy to Clipboard

The issue here is that Splunk will extract these fields as `name=foo` and `value=bar` by default. I’ve tried a couple different methods to pull specific fields out in the past but now I figured out clean way to extract all of them at once in search.

This method will add fields for all the dictionaries in the list for  the name and value pairs.

Copy to Clipboard

Breaking this down

Copy to Clipboard

Use  `mvzip`  to combine each dictionary into a single field. The delimiter to join by will need to be unique in the values change `:` if needed.

Copy to Clipboard

Use `mvmap` to iterate over the values in the multivalued field and perform a `json_object` operation using the 0 index as the key name and the 1 index as the value.

Copy to Clipboard

Join the new JSON dictionaries into JSON formatted list.

Copy to Clipboard

Use `spath`  to extract the JSON from the new field.

I’ve come across logs like this quite often, and I hope this solution proves useful to others facing the same problem. There are many powerful and creative ways to use `eval` functions and other commands in Splunk. I highly recommend taking the time to dig through the documentation whenever you’re faced with a problem in getting the results you want in Splunk. There’s often a command or technique that will provide the solution you need.

Full Test Search

Copy to Clipboard

The post SPL Tricks: Dealing with Nested Name-Value Pairs in JSON appeared first on Hurricane Labs.

*** This is a Security Bloggers Network syndicated blog from Hurricane Labs authored by Hurricane Labs. Read the original post at: https://hurricanelabs.com/blog/spl-tricks-dealing-with-nested-name-value-pairs-in-json/?utm_source=rss&utm_medium=rss&utm_campaign=spl-tricks-dealing-with-nested-name-value-pairs-in-json