Hi,
I’m looking for a linux command, or tool, to search the eve.json file.
I have another file that only contains a list of ip addresses and I would like to know if any of these addresses appear in the eve.json file.
Do like a kind of grep but from a list of a file
Thanks
One of the most used tools for working on JSON files is jq see GitHub - stedolan/jq: Command-line JSON processor
Given an eve.json and a file containing one IP address per line, addresses.txt you can do something like the following:
cat /var/log/suricata/eve.json|jq -r 'select(.src_ip) | .src_ip' | sort -u | comm -12 - <(sort addresses.txt)
this will output the source IP addresses from eve.json that exist in addresses.txt.
Hi,
Great, perfect.
Thanks a lot