I'm having issues properly extracting all the fields I'm after from some json. The logs are from a script that dumps all the AWS Security Groups into a json file that is ingested into Splunk by a UF. Below is a sanitized example of the output of one AWS Security Group. I've tried various iterations of spath with mvzip, mvindex, mvexpand. I've also tried to no avail using foreach. I'm stumped as to how to get Splunk to pull out each instance of CidrIp and Description inside the FromPort.
The end goal is to be able to search for a port or an address and get back all the corresponding info.
Example Search: index=something FromPort=22 | table FromPort, CidrIp, Description, ToPort Example Results FromPort, CidrIp, Description, ToPort 22, 10.10.10.1, Server01 SSH rule, 22 22, 10.10.10.2, Server 002 inbound , 22 etc....
Right now my extracting the fields only results in the first field for each rule.
When working correctly it would look like this and would contain all the rules in the log.
| makeresults
| eval _raw="{
\"Description\": \"Rules for server\",
\"GroupId\": \"sg-02d3a65ece83ba3a98\",
\"GroupName\": \"Fake group name\",
\"IpPermissions\": [
{
\"FromPort\": 22,
\"IpProtocol\": \"tcp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.59/32\",
\"Description\": \"Monitoring App - SSH\"
},
{
\"CidrIp\": \"10.64.77.24/32\",
\"Description\": \"Monitoring App - SSH\"
},
{
\"CidrIp\": \"10.64.77.29/32\",
\"Description\": \"Some Host - SSH\"
},
{
\"CidrIp\": \"10.64.77.11/32\",
\"Description\": \"Monitoring App - SSH\"
},
{
\"CidrIp\": \"10.64.77.136/32\",
\"Description\": \"SSH\"
},
{
\"CidrIp\": \"10.64.77.171/32\",
\"Description\": \"SSH\"
},
{
\"CidrIp\": \"10.64.77.37/32\",
\"Description\": \"Monitoring App - SSH\"
},
{
\"CidrIp\": \"10.64.77.174/32\",
\"Description\": \"Server003\"
},
{
\"CidrIp\": \"10.64.77.154/32\",
\"Description\": \"Server004\"
},
{
\"CidrIp\": \"10.226.109.245/32\",
\"Description\": \"Server to Server\"
},
{
\"CidrIp\": \"10.226.109.157/32\",
\"Description\": \"Another server to other stuff\"
},
{
\"CidrIp\": \"10.226.109.172/32\",
\"Description\": \"Another server to other stuff\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": 22,
\"UserIdGroupPairs\": []
},
{
\"FromPort\": 49763,
\"IpProtocol\": \"tcp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.59/32\",
\"Description\": \"Monitoring - Other Ports\"
},
{
\"CidrIp\": \"10.64.77.24/32\",
\"Description\": \"Monitoring - Other Ports\"
},
{
\"CidrIp\": \"10.64.77.37/32\",
\"Description\": \"Monitoring - Other Ports\"
},
{
\"CidrIp\": \"10.64.77.11/32\",
\"Description\": \"Monitoring - Other Ports\"
},
{
\"CidrIp\": \"10.226.109.157/32\",
\"Description\": \"Over here to over there\"
},
{
\"CidrIp\": \"10.226.109.172/32\",
\"Description\": \"Over here to over there\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": 35226,
\"UserIdGroupPairs\": []
},
{
\"FromPort\": 139,
\"IpProtocol\": \"tcp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.29/32\",
\"Description\": \"Server 007 - Netbios\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": 139,
\"UserIdGroupPairs\": []
},
{
\"FromPort\": 135,
\"IpProtocol\": \"tcp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.29/32\",
\"Description\": \"Server 007 - DCOM\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": 135,
\"UserIdGroupPairs\": []
},
{
\"FromPort\": 445,
\"IpProtocol\": \"tcp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.29/32\",
\"Description\": \"Server 007 - MS-DS\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": 445,
\"UserIdGroupPairs\": []
},
{
\"FromPort\": 443,
\"IpProtocol\": \"tcp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.29/32\",
\"Description\": \"Server 007 - HTTPS\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": 443,
\"UserIdGroupPairs\": []
},
{
\"FromPort\": -1,
\"IpProtocol\": \"icmp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.59/32\",
\"Description\": \"Monitoring Server - ICMP\"
},
{
\"CidrIp\": \"10.64.77.24/32\",
\"Description\": \"Ping\"
},
{
\"CidrIp\": \"10.64.77.11/32\",
\"Description\": \"Monitoring Server - ICMP\"
},
{
\"CidrIp\": \"10.64.77.37/32\",
\"Description\": \"Monitoring Server - ICMP\"
},
{
\"CidrIp\": \"10.226.109.157/32\",
\"Description\": \"Over here to over there\"
},
{
\"CidrIp\": \"10.226.109.172/32\",
\"Description\": \"Over here to over there\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": -1,
\"UserIdGroupPairs\": []
},
{
\"FromPort\": 1024,
\"IpProtocol\": \"tcp\",
\"IpRanges\": [
{
\"CidrIp\": \"10.64.77.29/32\",
\"Description\": \"Server 007 - High Ports\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"ToPort\": 65535,
\"UserIdGroupPairs\": []
}
],
\"IpPermissionsEgress\": [
{
\"IpProtocol\": \"-1\",
\"IpRanges\": [
{
\"CidrIp\": \"0.0.0.0/0\"
}
],
\"Ipv6Ranges\": [],
\"PrefixListIds\": [],
\"UserIdGroupPairs\": []
}
],
\"OwnerId\": \"223310898711\",
\"VpcId\": \"vpc-192ac32be1b1a987c\"
}"
| spath IpPermissions{}.FromPort output=a_FromPort
| spath IpPermissions{}.IpProtocol output=a_IpProtocol
| spath IpPermissions{}.IpRanges{}.CidrIp output=a_CidrIp
| spath IpPermissions{}.IpRanges{}.Description output=a_Description
| spath IpPermissions{}.ToPort output=a_ToPort
| eval a_zipped=mvzip(mvzip(mvzip(mvzip(a_FromPort, a_IpProtocol), a_CidrIp), a_Description), a_ToPort)
| mvexpand a_zipped
| eval b_FromPort=mvindex(split(a_zipped,","),0), b_IpProtocol=mvindex(split(a_zipped,","),1), b_CidrIp=mvindex(split(a_zipped,","),2), b_Description=mvindex(split(a_zipped,","),3), b_ToPort=mvindex(split(a_zipped,","),4)
| table b_FromPort, b_IpProtocol, b_CidrIp, b_Description, b_ToPort, a_zipped
... View more