Implement custom function for unrolling list of Name/Value pair objects #5

lowell80 · 2018-11-09T02:00:20Z

Unroll lists of Name/Value pairs and turn them back into dicts/objects. (Rather than using xyseries key Name Value" or eval {Name}=Value tricks.)

Take data that looks like this:

{
    "ExtendedProperties": [
        {
            "Name": "resultType",
            "Value": "Success"
        },
        {
            "Name": "auditEventCategory",
            "Value": "ApplicationManagement"
        },
        {
            "Name": "nCloud",
            "Value": "<null>"
        },
        {
            "Name": "actorContextId",
            "Value": "acaxxxxx-bb0e-42c4-xxxx-xxxxxxxxxxxx"
        },
        {
            "Name": "actorObjectId",
            "Value": "81bxxx08-123e-4a45-xxxx-xxxxxxxxxxxx"
        },
        {
            "Name": "actorObjectClass",
            "Value": "User"
        },
        {
            "Name": "actorUPN",
            "Value": "admin@splunk0365.onmicrosoft.com"
        }, 
   ]
}

And we want to instead map that to an object that looks like this:

{ 
    "resultType" : "Success",
    "auditEventCategory":  "ApplicationManagement",
    "nCloud" : "<null>",
    "actorContextId" : "acaxxxxx-bb0e-42c4-xxxx-xxxxxxxxxxxx",
    "actorObjectId": "81bxxx08-123e-4a45-xxxx-xxxxxxxxxxxx",
    "actorObjectClass": "User",
    "actorUPN" : "admin@splunk0365.onmicrosoft.com"}
}

And from a splunk side of things, it would be helpful if we could assign these all to a common prefix.
So for example, if the prefix given was ExtProp. then the field names in Splunk would be ExtProp.resultType, ExtProp.auditEventCategory, ExtProp.nCloud, ... and so on.

May need to add some kind of field name sanitization to this as well, to prevent spaces and other weird characters from slipping though.

This entire approach would hide values if the name Name was given twice, but I think that's an acceptable risk. Know your data.

The text was updated successfully, but these errors were encountered:

lowell80 · 2018-11-09T02:27:22Z

Proof-of-conept implementation:

from jmespath import functions

class JmesPathSplunkExtraFunctions(functions.Functions):

    @functions.signature({'types': ['array']}, {'types':['string']}, {'types':['string']})
    def _func_unroll(self, objlist, key, value):
        d = dict()
        for item in objlist:
            try:
                # Todo sanitize key names
                k = None
                v = None
                k = item[key]
                v = item[value]
                d[k] = v
            except Exception as e:
                return "Couldn't find key={} ({}={})value={} in {}".format(key, value, k, v, item) # "IT FAILED:  %s" % (str(e),)
        return d

- Added an initial implementation of the unroll(hash,'key','value') function for JMESPath. Still not sure what it should be called, but the logic should word. Closes #5. - Add an online appinspect checking script.

lowell80 modified the milestones: Post 2.0, Release 2.0 Nov 9, 2018

lowell80 added enhancement New feature or request custom function labels Nov 9, 2018

lowell80 added this to To do in Make it awesome Nov 9, 2018

lowell80 moved this from To do to Finished in Make it awesome Nov 9, 2018

lowell80 closed this as completed Mar 20, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement custom function for unrolling list of Name/Value pair objects #5

Implement custom function for unrolling list of Name/Value pair objects #5

lowell80 commented Nov 9, 2018

lowell80 commented Nov 9, 2018

Implement custom function for unrolling list of Name/Value pair objects #5

Implement custom function for unrolling list of Name/Value pair objects #5

Comments

lowell80 commented Nov 9, 2018

lowell80 commented Nov 9, 2018