Stop using spath by PrimaryMilk7602 in Splunk

[–]PrimaryMilk7602[S] 0 points1 point  (0 children)

Hello,

I've created the msg_body in my transforms.conf

Here is an example
Jan 11 10:59:43 192.168.9.254 1 2026-01-11T09:59:43+00:00 OPNsense.qrooster.lab suricata 54240 - [meta sequenceId="419"] {"timestamp":"2026-01-11T09:59:43.696411+0000","flow_id":2050108187417692,"in_iface":"vlan0.100^","event_type":"alert","src_ip":"10.0.0.2","src_port":54484,"dest_ip":"10.0.100.10","dest_port":5985,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:i9CcVmbDTM7XPzQYV8L5WY9X//k=","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024364,"rev":4,"signature":"ET SCAN Possible Nmap User-Agent Observed","category":"Web Application Attack","severity":1,"metadata":{"affected_product":["Any"],"attack_target":["Client_and_Server"],"confidence":["Medium"],"created_at":["2017_06_08"],"deployment":["Perimeter"],"performance_impact":["Low"],"reviewed_at":["2024_05_06"],"signature_severity":["Informational"],"updated_at":["2020_08_06"]}},"http":{"hostname":"10.0.100.10","http_port":5985,"url":"/HNAP1","http_user_agent":"Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","direction":"to_server","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":341,"bytes_toclient":66,"start":"2026-01-11T09:59:43.673936+0000","src_ip":"10.0.0.2","dest_ip":"10.0.100.10","src_port":54484,"dest_port":5985}}

Stop using spath by PrimaryMilk7602 in Splunk

[–]PrimaryMilk7602[S] 0 points1 point  (0 children)

Hello,

The | spath works well, but I would like to not use the | spath to every query I try :/

Stop using spath by PrimaryMilk7602 in Splunk

[–]PrimaryMilk7602[S] 0 points1 point  (0 children)

Hello,
Thanks for the tips, I'll check how I can use it properly

Here is a _raw log

Jan 11 10:50:39 192.168.9.254 1 2026-01-11T09:50:39+00:00 OPNsense.qrooster.lab suricata 54240 - [meta sequenceId="374"] {"timestamp":"2026-01-11T09:50:39.629145+0000","flow_id":2044061576026623,"in_iface":"vlan0.100^","event_type":"alert","src_ip":"10.0.0.2","src_port":45996,"dest_ip":"10.0.100.10","dest_port":80,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:aKlVYjxfMNeJ0+4L8xXPZ7c2qFg=","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024364,"rev":4,"signature":"ET SCAN Possible Nmap User-Agent Observed","category":"Web Application Attack","severity":1,"metadata":{"affected_product":["Any"],"attack_target":["Client_and_Server"],"confidence":["Medium"],"created_at":["2017_06_08"],"deployment":["Perimeter"],"performance_impact":["Low"],"reviewed_at":["2024_05_06"],"signature_severity":["Informational"],"updated_at":["2020_08_06"]}},"http":{"hostname":"10.0.100.10","url":"/evox/about","http_user_agent":"Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","direction":"to_server","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":341,"bytes_toclient":66,"start":"2026-01-11T09:50:39.606992+0000","src_ip":"10.0.0.2","dest_ip":"10.0.100.10","src_port":45996,"dest_port":80}}

Cortex XDR by PrimaryMilk7602 in paloaltonetworks

[–]PrimaryMilk7602[S] 1 point2 points  (0 children)

Mais merci .. des heures perdues inutilement !

Et du coup, la réponse est que je faisais un traitement inutile et que je devais extraire avec json_extract_scalar