我需要从下面的json中提取一些字段。这是来自aws cloudtrail,我很难弄清楚这一点。
我需要的字段是:
userIdentity.userName
eventTime
awsRegion
sourceIPAddress
responseElements.ConsoleLogin
eventID
JSON-
{
"eventVersion": "x.xx",
"userIdentity": {
"type": "xxxxxxxxxx",
"principalId": "xxxxxxxxxx",
"arn": "xxxxxxxxxx",
"accountId": "xxxxxxxxxx",
"userName": "xxxxxxxxxx"
},
"eventTime": "2020-07-15T08:50:35Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "xxxxxxxxxx",
"sourceIPAddress": "xxxxxxxxxx",
"userAgent": "xxxxxxxxxx",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "xxxxxxxxxx",
"MobileVersion": "xxxxxxxxxx",
"MFAUsed": "xxxxxxxxxx"
},
"eventID": "xxxxxxxxxx",
"eventType": "xxxxxxxxxx",
"recipientAccountId": "xxxxxxxxxx"
}
aws --region <region> cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --max-items 1 --output json |
jq -r .Events[].CloudTrailEvent |
jq '.userIdentity.userName, .eventTime, .awsRegion, .sourceIPAddress, .responseElements.ConsoleLogin, .eventID'