jq is great for CLI manipulation of JSON data! Handy little bit of knowledge here, stashing so i can remember.
You’re probably familiar with the fact that you can use the command line tool jq to do pretty printing of JSON on the command line, like this:
$ cat file.json | jq "." | head -n 30
[
{
"collection": "state_of_oklahoma",
"ip_address": "156.110.191.1",
"port": 3389,
"protocol": "tcp",
"service": "RDP",
"first_seen": null,
"last_seen": null,
"timestamp": "2019-05-12T02:02:29+00:00"
},
{
"collection": "state_of_oklahoma",
"ip_address": "156.110.192.1",
"port": 3389,
"protocol": "tcp",
"service": "RDP",
"first_seen": null,
"last_seen": null,
"timestamp": "2019-05-12T02:02:41+00:00"
},
But did you know you can use it to query attributes? For instance, if you want to get the ip_address of all items running RDP, you can query like such:
$ cat file.json | jq -c '.[]| select(.service=="RDP") | .ip_address'
This essentially tells jq to iterate through the outer array, selecting any hash with the “service” field set to “RDP, and then print the ip_address field. And the output?
$ cat file.json | jq -c '.[]| select(.service=="RDP") | .ip_address' "156.110.191.1" "156.110.192.1" ...
Also, if you want those quotes removed, add a ‘-r’ switch:
$ cat file.json | jq -r -c '.[]| select(.service=="RDP") | .ip_address'
Hope this is helpful, check out the jq tutorial for more info !
Jonathan Cran 