CloudTrail JSON Files: View Recommendations
Some recommended practices for configuring views to search and visualize CloudTrail indexed data
As you plan to create Refinery® views to enable the searching and visualization of the indexed data for your CloudTrail JSON files, consider these setup recommendations.
| Recommendation | Effect |
|---|---|
| Transform applicable JSON strings to support Elastic nested queries. | For arrays or nested JSON objects indexed as JSON strings like Records.requestParameters and Records.responseElements, use the out-of-box Treat as Nested JSON transform to enable more than just basic text string searches. |
| Extract data from JSON strings to materialize columns for filtering. | If there are fields inside JSON strings, use the out-of-box Materialize with JSONPath or Materialize with JQ transform to create a materialized column from a field identified by a JSON path string. |
The following sections provide some examples of how to use the JSON Flex and standard view features.
Transform JSON String Fields to Support Nest JSON Searches
For the indexed fields that you indexed as JSON strings like Records.requestParameters and Records.responseElements, use the out-of-box Treat as Nested JSON transform to enable more refined Elastic nested query syntax searches. For example, if you wanted to search for a specific account ID value, you can use the Elastic nested query syntax to create a path to the search value in the filter area:
Updated 4 months ago