I have data in the format of:
{"cidr":"1.10.16.0/20","sblid":"SBL256894","rir":"apnic"}
{"cidr":"1.19.0.0/16","sblid":"SBL434604","rir":"apnic"}
{"cidr":"1.32.128.0/18","sblid":"SBL286275","rir":"apnic"}
{"cidr":"2.56.192.0/22","sblid":"SBL459831","rir":"ripencc"}
{"cidr":"2.57.122.0/24","sblid":"SBL636050","rir":"ripencc"}
{"cidr":"2.57.168.0/24","sblid":"SBL628448","rir":"ripencc"}
{"cidr":"2.57.232.0/23","sblid":"SBL538946","rir":"ripencc"}
{"cidr":"2.57.234.0/23","sblid":"SBL538947","rir":"ripencc"}
{"cidr":"5.42.92.0/24","sblid":"SBL625300","rir":"ripencc"}
{"cidr":"5.105.62.0/24","sblid":"SBL619555","rir":"ripencc"}
{"cidr":"5.105.220.0/24","sblid":"SBL627956","rir":"ripencc"}
{"cidr":"5.134.128.0/19","sblid":"SBL270738","rir":"ripencc"}
{"cidr":"5.182.112.0/24","sblid":"SBL654749","rir":"ripencc"}
{"cidr":"5.183.60.0/22","sblid":"SBL463004","rir":"ripencc"}
I've tried various permutations of $.cidr, and so far nothing is being selected. Since this is a bunch of objects at the root level Grok told me $.*.cidr should work. However that does not work in any of the tools I've tried for checking the syntax. The simulated output Grok runs gives me the ip addresses I'm looking for, however the command does not work. How could I properly select the cidr element with a path expression?
Figured out my issue. OPNsense does not support JSON Path Expressions, or jq expressions. The notation they currently support would not work in most online JSON validators. They support what their UI calls Path Expressions, which is just the name of the column.
This is a new feature in their firewall that does not have documentation yet. To select from that list of data in the cidr column cidr is what needs to be input when querying the data set.
I don't yet know for sure how to select multiple columns, (I assume the notation will be listed in their documentation eventually) but my guess would be some variation of & or &&.