Often, especially when providing context to analysts who are responsible for triaging alerts, it is useful to provide all of the context that a cloud provider nests in a big json blob as just a single field. You can use the splunk operation “spath” to accomplish this goal.
Note: if you have trouble manipulating the spath’d field, you may have success renaming it. For instance before eval statements.
index=azure AND "signinlogs" | spath properties.authenticationDetails{} | table properties.authenticationDetails{}
The post Splunk: How to Output Nested json as One Field appeared first on SOC Prime.
