我在数组中有这三个条目,我只想获得那些from_port = 22的条目的cidr_ip。在这种情况下,这是第二个条目,具有5个cidr_ips
{"grants": [{"owner_id": "376456522198", "cidr_ip": null}, {"owner_id": "376456522198", "cidr_ip": null}], "ipRanges": "", "from_port": null, "to_port": null, "groups": "\n ", "ip_protocol": "-1"}
{"grants": [{"owner_id": null, "cidr_ip": "52.59.64.149/32"}, {"owner_id": null, "cidr_ip": "193.26.194.92/32"}, {"owner_id": null, "cidr_ip": "182.75.203.18/32"}, {"owner_id": null, "cidr_ip": "49.207.49.169/32"}, {"owner_id": null, "cidr_ip": "1.39.182.12/32"}], "ipRanges": "\n ", "from_port": "22", "to_port": "22", "groups": "", "ip_protocol": "tcp"}
{"grants": [{"owner_id": null, "cidr_ip": "52.59.64.149/32"}, {"owner_id": null, "cidr_ip": "182.75.203.18/32"}, {"owner_id": null, "cidr_ip": "193.26.194.92/32"}], "ipRanges": "\n ", "from_port": "3389", "to_port": "3389", "groups": "", "ip_protocol": "tcp"}
我必须使用rex命令来提取事件中拥有的3个JSON块。然后,我使用mvexpand为每个可能的JSON条目创建单独的事件。使用Splunk spath命令,我可以提取单个json字段。然后,很容易过滤from_port=22,然后仅显示我们感兴趣的字段。
| rex max_match=10 "(?<json>{\"grants\":.*?ip_protocol\": \"[^\"]+\"})"
| mvexpand json
| spath input=json
| where from_port=22
| table grants{}.cidr_ip, from_port
请注意,rex正则表达式依赖于ip_protocol在json表达式中排在最后。这可能满足您的需求,或者您可以修改正则表达式以使其在其他情况下起作用,具体取决于事件的外观。