{"_id":"wo2yaGoBPzIHdg4Orf2o","_type":"doc","_index":"test_2019.04","@timestamp":["2019-04-29T10:45:01.025Z"],"success":true,"event_msg":"***Preformatted texthas detected a threat against your company.","event_detailedMsg":"The application WmiPrvSE.exe was detected running. A Terminate Policy Action was applied","event_email":"Email: Janewin7\\jane","event_severity":"Severity: Threat","event_url":"https://defense-prod05.conferdeploy.net#device/663442/incident/GWCD1UCR","event_name":"Name: Janewin7","event_threadscore":"Threat score: 3","@version":"1","event_incidentid":"Incident id: GWCD1UCR","event_priority":"Threat priority greater than 1","event_ostype":"Type and OS: WINDOWS Windows 10 x64","notifications":[{"threatInfo":{"indicators":[{"indicatorName":"READ_SECURITY_DATA","sha256Hash":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15","applicationName":"WmiPrvSE.exe"},{"indicatorName":"RAM_SCRAPING","sha256Hash":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15","applicationName":"WmiPrvSE.exe"},
Above is the JSON Data. i want to show all the indicatorName in table by accessing the field “notifications.threatInfo.indicators.indicatorName.keyword”. however i can see only the field “notifications.threatInfo.indicators” from table panel but in graph panel, i can see this field “notifications.threatInfo.indicators.indicatorName.keyword”.
Kindly advice. In splunk, i can easily show it in table panel.
Think there’s a limitation of how many levels deep properties are processed. Seems like 3 is the maximum depth looking at the source code. This code is used by the json transformer for the table panel.
I’m guessing that 3 level deep is due to possible performance issues if you have a lot of documents/rows.
Would suggest you open an issue regarding this if this is important for you.
