makejson
The makejson
command is an internal, unsupported, experimental command. See
About internal commands.
Description
Creates a JSON object from the specified set of fields in the search results, and places the JSON object into a new field.
Syntax
makejson <wc-field-list> output=<string>
Required arguments
- output
- Syntax: output=<string>
- Description: The name to use for the output field where the JSON object is placed.
Optional arguments
- wc-field-list
- Syntax: <field>(,<field>) ...
- Description: Comma-delimited list of fields to use to generate a JSON object. You can use a wild card character in the field names.
- Default: All fields are included in the JSON object if a list is not specified.
Usage
You cannot use the table
or fields
command to specify the field order in the JSON object that gets created.
Examples
1. Create a JSON object using all of the available fields
The following search create a JSON object in a field called "data" taking in values from all available fields.
| makeresults count=5 | eval owner="vladimir", error=random()%3 | makejson output=data
- The
makeresults
command creates five search results that contain a timestamp. - The
eval
command creates two fields in each search result. One field is namedowner
and contains the valuevladimir
. The other field is namederror
that takes a random number and uses the modulo mathematical operator ( % ) to divide the random number by 3. - The
makejson
command creates a JSON object based on the values in the fields in each search result.
The results look something like this:
_time | owner | error | data |
---|---|---|---|
2020-03-10 21:45:14 | vladimir | 1 | {"owner": "vladimir", "error": 1, "_time": 1583901914} |
2020-03-10 21:45:14 | vladimir | 0 | {"owner": "vladimir", "error": 0, "_time": 1583901914} |
2020-03-10 21:45:14 | vladimir | 0 | {"owner": "vladimir", "error": 0, "_time": 1583901914} |
2020-03-10 21:45:14 | vladimir | 2 | {"owner": "vladimir", "error": 2, "_time": 1583901914} |
2020-03-10 21:45:14 | vladimir | 1 | {"owner": "vladimir", "error": 1, "_time": 1583901914} |
2. Create a JSON object from a specific set of fields
Consider the following data:
_time | owner | error_code |
---|---|---|
2020-03-10 21:45:14 | claudia | 1 |
2020-03-10 20:45:17 | alex | 4 |
2020-03-10 06:48:11 | wei | 2 |
2020-03-09 21:15:35 | david | 3 |
2020-03-09 16:22:10 | maria | 4 |
2020-03-08 23:32:56 | vanya | 1 |
2020-03-07 14:05:14 | claudia | 2 |
The makejson command is used to create a JSON object in a field called "data" using the values from only the _time
and owner
fields. The error
field is not included in the JSON object.
| makeresults count=7 | eval owner="claudia", error=random()%5 | makejson _time, owner output=data
The results look something like this:
data |
---|
{"owner": "claudia", "_time": 1583876714} |
{"owner": "alex", "_time": 1583873117} |
{"owner": "wei", "_time": 1583822891} |
{"owner": "david", "_time": 1583788535} |
{"owner": "maria", "_time": 1583770930} |
{"owner": "vanya", "_time": 1583710376} |
{"owner": "claudia", "_time": 1583589914} |
3. Create a JSON object using a wildcard list of fields
Create a JSON object in a field called "json-object" using the values from the _time
field and fields that end in _owner
.
| makeresults count=5 | eval product_owner="wei", system_owner="vanya", error=random()%5 | makejson _time, *_owner output="json-object"
The results look something like this:
_time | product_owner | system_owner | error | json-object |
---|---|---|---|---|
2020-03-10 22:23:24 | wei | vanya | 3 | {"product_owner": "wei", "system_owner": "vanya", "_time": 1583904204} |
2020-03-10 22:23:24 | wei | vanya | 2 | {"product_owner": "wei", "system_owner": "vanya", "_time": 1583904204} |
2020-03-10 22:23:24 | wei | vanya | 1 | {"product_owner": "wei", "system_owner": "vanya", "_time": 1583904204} |
2020-03-10 22:23:24 | wei | vanya | 3 | {"product_owner": "wei", "system_owner": "vanya", "_time": 1583904204} |
2020-03-10 22:23:24 | wei | vanya | 2 | {"product_owner": "wei", "system_owner": "vanya", "_time": 1583904204} |
4. Use with schema-bound lookups
You can use the makejson
command with schema-bound lookups to store a JSON object in the description field for later processing.
Suppose that a Splunk application comes with a KVStore collection called example_ioc_indicators
, with the fields key
and description
. For long term supportability purposes you do not want to modify the collection, but simply want to utilize a custom lookup within a framework, such as Splunk Enterprise Security (ES) Threat Framework.
Let's start with the first part of the search:
| makeresults count=1
| eval threat="maliciousdomain.example", threat_expiry="2020-01-01 21:13:37 UTC", threat_name="Sample threat", threat_campaign="Sample threat", threat_confidence="100"
| makejson threat_expiry, threat_name, threat_campaign, threat_confidence output=description
| table threat, description
This search produces a result that looks something like this:
threat | description |
---|---|
maliciousdomain.example | {"threat_name": "Sample threat", "threat_confidence": 100, "threat_expiry": "2020-01-01 21:13:37 UTC", "threat_campaign": "Sample threat"} |
You would then add the outputlookup
command to send the search results to the lookup:
... | outputlookup append=t example_ioc_indicators
To use this custom lookup within a framework, you would specify this in a search:
...| lookup example_ioc_indicators OUTPUT description AS match_context | spath input=match_context
See also
- Related commands
- spath
findkeywords | mcatalog |
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!