我正在试用Microsoft Sentinel,并试图了解如何解析JSON元素。一个实验是,我在家里安装了温度和湿度传感器,并将其输入,现在的困难在于解析。。。它们是带有Message的syslog事件,其中包含JSON,如下所示。
SENSOR =
{
"ZbReceived":
{
"0x03FA":
{
"Device":"0x03FA",
"Name":"2_Back_Bedroom",
"Humidity":71.66,"Endpoint":1,
"LinkQuality":66
}
}
}
不幸的是,设备在JSON中包含设备ID作为标签,这让我很难弄清楚如何提取所有字段。有8个传感器,所以对每个传感器重复这个似乎效率很低,但也许这是必要的?
有没有一种方法可以从8个不同的传感器中提取值?我试过了。[0]。和其他变体,但没有运气。
print T = dynamic('SENSOR = {"ZbReceived":{"0x03FA":{"Device":"0x03FA","Name":"2_Back_Bedroom","Humidity":71.66,"Endpoint":1,"LinkQuality":66}}}')
| mv-expand humidity = parse_json(substring(T, 9)).ZbReceived.["0x03FA"].Humidity
| mv-expand device = parse_json(substring(T, 9)).ZbReceived.["0x03FA"].Device
| mv-expand name = parse_json(substring(T, 9)).ZbReceived.["0x03FA"].Name
| mv-expand battery = parse_json(substring(T, 9)).ZbReceived.["0x03FA"].Battery
| mv-expand temperature = parse_json(substring(T, 9)).ZbReceived.["0x03FA"].Temperature
快速解释:
在下
print T = dynamic('SENSOR = {"ZbReceived":{"0x03FA":{"Device":"0x03FA","Name":"2_Back_Bedroom","Humidity":71.66,"Endpoint":1,"LinkQuality":66}}}')
| parse tostring(T) with "SENSOR = " sensor:dynamic
| project device = sensor.ZbReceived[tostring(bag_keys(sensor.ZbReceived)[0])]
| evaluate bag_unpack(device)
| 设备 | 链接质量 | >名称||
|---|---|---|---|
| 0x03FA | 1 | 71.66 | 2_Back_Bedroom |