A simple Python package to Query Json Data.
Project description
pyjq
A simple Python package to Query Json Data.
Features
- Supports pure json files
- Supports multiple json objects in a file, delimited by newlines (/n)
- Supports gzipped files
- Supports customizabile filters
- Supports pure datetime range filters
Todo
The filters could be extended easily, adopting Python3 stdlib operator.
See pyjq.PyJQ.filter to extend ops mapping.
Installation
pip install pyjq-ng
Example data
See example/alerts.json.
pyjq works on lines by lines (splitted by \n).
It have been used for Wazuh alert json files and Django dumps.
pyjq -j examples/django_dump.json -limit 2 -filter 'fields__original_url == https://google.com'
pyjq -j examples/django_dump.json -limit 2 -filter 'model == urlshortener.urlshortener'
Usage
'agent__name' it's an example of the namespace used by pyjq to access to nested childs. It other word it means json['agent']['name'].
It haven't limits on number of nested elements.
Apply some custom filters with AND and OR operators on Wazuh Alert file
pyjq -j ../Scaricati/alerts.json -filter 'agent__ip == 172.16.16.102 and agent__name == telegram-gw or agent__ip == 172.16.16.108'
Contains operator
pyjq -j ../Scaricati/alerts.json -filter 'rule__description in iptables and agent__name == dev-bastion'
Convert a specified filed to a pure datetime object and filter in a specified range
pyjq -j ../Scaricati/alerts.json -start_datetime 2020-04-06T10:22:00 -end_datetime 2020-04-06T13:22:00 -datetime_field timestamp
Realtime reading, it will only takes the latter entries, delimited by newline \n
pyjq -j /var/ossec/logs/alerts/alerts.json -datetime_field timestamp -realtime
Use a gzipped json file directly
pyjq -j ../Scaricati/alerts.json.gzip
Limit results to 2
pyjq -j ../Scaricati/alerts.json -limit 2
Realtime monitoring of a specific entity
pyjq -j /var/ossec/logs/alerts/alerts.json -realtime -filter 'agent__name == tinyurl and rule__level == 3'
Custom callback, usefull for bot integration and other pub/sub APIs
python3 pyjq -j examples/alerts.json -realtime -filter 'agent__name == tinyurl and rule__description in ssh' -callback 'examples.callback.things'
Reading from stdin
cat examples/alerts.json | python3 ./pyjq -filter 'rule__level > 3'
# continous processing
tail -f /tmp/alerts.json | python3 ./pyjq -filter 'location != osquery'
Author
Giuseppe De Marco giuseppe.demarco@unical.it
Credits
Wazuh SIEM group @GarrLab
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pyjq-ng-0.7.0.tar.gz.
File metadata
- Download URL: pyjq-ng-0.7.0.tar.gz
- Upload date:
- Size: 5.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.45.0 CPython/3.7.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cd80a9e3321f23f0f71cd10227bac9443f369618a2ef4d4bf80d17a6dc488244 |
|
| MD5 | 9537bbda5ce1afd325dea154483d71f7 |
|
| BLAKE2b-256 | 3ad6314301f2e0f319a8357535d5e04e1cf9cc4f73577409f910e6b9599404e1 |
File details
Details for the file pyjq_ng-0.7.0-py3-none-any.whl.
File metadata
- Download URL: pyjq_ng-0.7.0-py3-none-any.whl
- Upload date:
- Size: 6.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.45.0 CPython/3.7.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 8529e4dcf209177cc98182b77d4f7cc2b19625beaf892fcc167206c715a7c3d1 |
|
| MD5 | dab1872573b6766299bf24e0246bf81a |
|
| BLAKE2b-256 | f6bfe3a16ba2a3d2b0bdf4ac34b91e1316910e665ab167a60ca3edde29e96628 |
