Get Started

Splunk spath Command: Parsing JSON and XML Data

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

What Is the spath Command?

The spath command extracts fields from structured data formats — specifically JSON and XML. As cloud environments, APIs, and modern applications increasingly produce JSON-formatted logs, spath has become essential for security analysts working with data from AWS CloudTrail, Azure Activity Logs, Office 365, and container platforms.

Core Syntax

| spath [input=<field>] [output=<field>] [path=<extraction_path>]

Without arguments, spath auto-extracts all top-level fields. Use path= for specific nested extractions.

Security Operations Examples

1. AWS CloudTrail — API Call Analysis

index=aws sourcetype=aws:cloudtrail
| spath
| search eventName=ConsoleLogin
| stats count BY userIdentity.arn sourceIPAddress eventName
| sort - count

2. Extracting Nested JSON Fields

index=cloud sourcetype=azure:activity
| spath path=properties.statusCode output=status_code
| spath path=caller output=calling_user
| spath path=operationName.value output=operation
| stats count BY calling_user operation status_code

3. Kubernetes Container Logs

index=containers sourcetype=kube:container:log
| spath
| search level=ERROR
| stats count BY kubernetes.pod_name kubernetes.namespace_name message

4. Office 365 Audit Log Parsing

index=o365 sourcetype=o365:management:activity
| spath
| search Operation=FileAccessed OR Operation=FileDownloaded
| stats count values(ClientIP) AS source_ips BY UserId Operation ObjectId

JSON Array Handling

For JSON arrays, use bracket notation with spath:

| spath path=requestParameters.groupSet.items{}.groupId output=security_groups

Iterating Over Arrays

index=aws sourcetype=aws:cloudtrail eventName=AuthorizeSecurityGroupIngress
| spath path=requestParameters.ipPermissions.items{} output=permissions
| mvexpand permissions
| spath input=permissions path=ipRanges.items{}.cidrIp output=allowed_cidr
| where allowed_cidr="0.0.0.0/0"

spath vs. rex vs. eval with json functions

Approach Best For
spath Structured JSON/XML — automatic or path-based extraction
rex Unstructured text — regex-based extraction
eval + json_extract() Programmatic JSON access within eval expressions

Best Practices

  • Use path= for specific fields — Bare spath extracts everything, which is slow on deeply nested structures.
  • Use input= for non-_raw fields — If your JSON is in a specific field, target it directly.
  • Combine with mvexpand for arrays — Extract arrays with spath, then expand them for per-item analysis.
  • Define indexed extractions for high-volume sources — For data you query constantly (CloudTrail, Azure), configure search-time extractions in props.conf for better performance.

Next in the series: The rename and fillnull commands — data cleanup and preparation.

Next in the Rhombic SPL Series → Splunk rename and fillnull Commands

Tagged , , , , , ,