Source: socprime.com – Author: Adam Swan
Often, especially when providing context to analysts who are responsible for triaging alerts, it is useful to provide all of the context that a cloud provider nests in a big json blob as just a single field. You can use the splunk operation “spath” to accomplish this goal.
Note: if you have trouble manipulating the spath’d field, you may have success renaming it. For instance before eval statements.
index=azure AND "signinlogs"
| spath properties.authenticationDetails{}
| table properties.authenticationDetails{}
Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/splunk-how-to-output-nested-json-as-one-field/
Category & Tags: Blog,Knowledge Bits,SIEM,SIEM & EDR,Splunk – Blog,Knowledge Bits,SIEM,SIEM & EDR,Splunk
Views: 3