Russell Cohen
Russell Cohen
Nested JSON isn't super well supported right now, but try: `a` `agrind '* | json | json from logdata`: ``` echo '{"dst_host": "159.65.224.130", "dst_port": 23, "honeycred": false, "local_time": "2019-01-23 11:57:11.834296",...
Yeah, makes sense. I assume you don't know the keys ahead of time? What would the ideal workflow be for you? Something like: ```* | json | count by logdata.user```?
Keeping the issue open to discuss longer term improvements
yeah I'm probably not going to at specific EVTX support...I could add support to redirect the pipeline to another program though On Sun, Jan 27, 2019 at 2:56 PM molley...
You might also try JQ to do whatever complex JSON munging you want to do before piping the result to angle-grinder On Sun, Jan 27, 2019 at 10:58 PM molley...
I think a good solution for this could be splatting JSON objects into 1-row-per KV like https://github.com/tomnomnom/gron -- @geekscrapy I'm curious if that would create a usable output for EVTX...
With #73 adding a `splat` operator should be all that's required to get decent support for arbitrary nested structures.
ah, that was probably written before proper nested field support was added. You can now refer to `logdata.PASSWORD` and `logdata.USERNAME` directly. If you want to restructure things, you can do...
reasonable feature, I think.
fyi, parsing is single threaded at the moment, the full input stream is deterministically ordered