Drill 06: Infrastructure Patterns
Real-world patterns for infrastructure JSON: ISE sessions, k8s pods, Vault secrets.
Run This Drill
bash ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/examples/jq-drills/06-infrastructure.shDrill Script
#!/bin/bash
# JQ DRILL 06: INFRASTRUCTURE PATTERNS
# Paste this entire script into your terminal
# Topics: Real API responses, k8s, netapi, Vault patterns
# Simulated netapi ISE response
cat << 'EOF' > /tmp/jq-ise.json
{
"sessions": [
{"macAddress": "00:11:22:33:44:55", "ipAddress": "10.50.10.101", "userName": "alice@INSIDE.DOMUSDIGITALIS.DEV", "nasIpAddress": "10.50.1.10", "authMethod": "dot1x", "state": "AUTHENTICATED", "sessionTime": 3600},
{"macAddress": "AA:BB:CC:DD:EE:FF", "ipAddress": "10.50.10.102", "userName": "bob@INSIDE.DOMUSDIGITALIS.DEV", "nasIpAddress": "10.50.1.11", "authMethod": "dot1x", "state": "AUTHENTICATED", "sessionTime": 1800},
{"macAddress": "11:22:33:44:55:66", "ipAddress": "10.50.99.50", "userName": "GUEST", "nasIpAddress": "10.50.1.10", "authMethod": "mab", "state": "AUTHENTICATED", "sessionTime": 600},
{"macAddress": "DE:AD:BE:EF:00:01", "ipAddress": null, "userName": null, "nasIpAddress": "10.50.1.12", "authMethod": "dot1x", "state": "FAILED", "sessionTime": 0}
]
}
EOF
# Simulated kubectl get pods -o json
cat << 'EOF' > /tmp/jq-k8s.json
{
"items": [
{"metadata": {"name": "wazuh-indexer-0", "namespace": "wazuh"}, "status": {"phase": "Running", "containerStatuses": [{"ready": true, "restartCount": 0}]}},
{"metadata": {"name": "wazuh-manager-0", "namespace": "wazuh"}, "status": {"phase": "Running", "containerStatuses": [{"ready": true, "restartCount": 2}]}},
{"metadata": {"name": "prometheus-0", "namespace": "monitoring"}, "status": {"phase": "Running", "containerStatuses": [{"ready": true, "restartCount": 0}]}},
{"metadata": {"name": "grafana-abc123", "namespace": "monitoring"}, "status": {"phase": "Pending", "containerStatuses": [{"ready": false, "restartCount": 5}]}},
{"metadata": {"name": "argocd-server-xyz789", "namespace": "argocd"}, "status": {"phase": "Running", "containerStatuses": [{"ready": true, "restartCount": 0}]}}
]
}
EOF
# Simulated Vault list response
cat << 'EOF' > /tmp/jq-vault.json
{
"data": {
"keys": [
"pki/",
"pki_int/",
"ssh/",
"kv/",
"transit/"
]
}
}
EOF
echo "=================================================================="
echo " JQ DRILL 06: INFRASTRUCTURE PATTERNS "
echo "=================================================================="
echo ""
# ---------------------------------------------------------------------------
echo "------------------------------------------------------------------"
echo "DRILL 6.1: ISE SESSION ANALYSIS"
echo "Real patterns from netapi ise mnt sessions"
echo "------------------------------------------------------------------"
echo ""
echo "Command: Count sessions by auth method"
echo 'jq '"'"'.sessions | group_by(.authMethod) | map({method: .[0].authMethod, count: length})'"'"' /tmp/jq-ise.json'
jq '.sessions | group_by(.authMethod) | map({method: .[0].authMethod, count: length})' /tmp/jq-ise.json
echo ""
echo "Command: Find failed authentications"
echo 'jq '"'"'.sessions[] | select(.state == "FAILED") | {mac: .macAddress, nas: .nasIpAddress}'"'"' /tmp/jq-ise.json'
jq '.sessions[] | select(.state == "FAILED") | {mac: .macAddress, nas: .nasIpAddress}' /tmp/jq-ise.json
echo ""
echo "Command: Extract usernames (clean domain)"
echo 'jq -r '"'"'.sessions[] | select(.userName) | .userName | split("@")[0]'"'"' /tmp/jq-ise.json'
jq -r '.sessions[] | select(.userName) | .userName | split("@")[0]' /tmp/jq-ise.json
echo ""
echo "Command: Total session time by auth method"
echo 'jq '"'"'.sessions | group_by(.authMethod) | map({method: .[0].authMethod, total_seconds: [.[].sessionTime] | add})'"'"' /tmp/jq-ise.json'
jq '.sessions | group_by(.authMethod) | map({method: .[0].authMethod, total_seconds: [.[].sessionTime] | add})' /tmp/jq-ise.json
echo ""
# ---------------------------------------------------------------------------
echo "------------------------------------------------------------------"
echo "DRILL 6.2: KUBERNETES POD STATUS"
echo "Parse kubectl get pods -o json output"
echo "------------------------------------------------------------------"
echo ""
echo "Command: List all pods with status"
echo 'jq -r '"'"'.items[] | "\(.metadata.namespace)/\(.metadata.name): \(.status.phase)"'"'"' /tmp/jq-k8s.json'
jq -r '.items[] | "\(.metadata.namespace)/\(.metadata.name): \(.status.phase)"' /tmp/jq-k8s.json
echo ""
echo "Command: Find non-running pods"
echo 'jq '"'"'.items[] | select(.status.phase != "Running") | {name: .metadata.name, phase: .status.phase}'"'"' /tmp/jq-k8s.json'
jq '.items[] | select(.status.phase != "Running") | {name: .metadata.name, phase: .status.phase}' /tmp/jq-k8s.json
echo ""
echo "Command: Find pods with restarts > 0"
echo 'jq '"'"'.items[] | select(.status.containerStatuses[0].restartCount > 0) | {name: .metadata.name, restarts: .status.containerStatuses[0].restartCount}'"'"' /tmp/jq-k8s.json'
jq '.items[] | select(.status.containerStatuses[0].restartCount > 0) | {name: .metadata.name, restarts: .status.containerStatuses[0].restartCount}' /tmp/jq-k8s.json
echo ""
echo "Command: Count pods by namespace"
echo 'jq '"'"'.items | group_by(.metadata.namespace) | map({namespace: .[0].metadata.namespace, count: length})'"'"' /tmp/jq-k8s.json'
jq '.items | group_by(.metadata.namespace) | map({namespace: .[0].metadata.namespace, count: length})' /tmp/jq-k8s.json
echo ""
# ---------------------------------------------------------------------------
echo "------------------------------------------------------------------"
echo "DRILL 6.3: VAULT SECRET PATHS"
echo "Parse vault list output"
echo "------------------------------------------------------------------"
echo ""
echo "Command: List all secret engines"
echo 'jq -r '"'"'.data.keys[]'"'"' /tmp/jq-vault.json'
jq -r '.data.keys[]' /tmp/jq-vault.json
echo ""
echo "Command: Find PKI engines"
echo 'jq -r '"'"'.data.keys[] | select(startswith("pki"))'"'"' /tmp/jq-vault.json'
jq -r '.data.keys[] | select(startswith("pki"))' /tmp/jq-vault.json
echo ""
echo "Command: Count engines"
echo 'jq '"'"'.data.keys | length'"'"' /tmp/jq-vault.json'
jq '.data.keys | length' /tmp/jq-vault.json
echo ""
# ---------------------------------------------------------------------------
echo "------------------------------------------------------------------"
echo "DRILL 6.4: GENERATE CONFIGS"
echo "Transform JSON to config files"
echo "------------------------------------------------------------------"
echo ""
echo "Command: Generate /etc/hosts entries from ISE sessions"
echo 'jq -r '"'"'.sessions[] | select(.ipAddress) | "\(.ipAddress) endpoint-\(.macAddress | gsub(":"; "-"))"'"'"' /tmp/jq-ise.json'
jq -r '.sessions[] | select(.ipAddress) | "\(.ipAddress) endpoint-\(.macAddress | gsub(":"; "-"))"' /tmp/jq-ise.json
echo ""
echo "Command: Generate Prometheus scrape targets from k8s"
echo 'jq '"'"'[.items[] | select(.status.phase == "Running") | "\(.metadata.name).\(.metadata.namespace).svc:9090"]'"'"' /tmp/jq-k8s.json'
jq '[.items[] | select(.status.phase == "Running") | "\(.metadata.name).\(.metadata.namespace).svc:9090"]' /tmp/jq-k8s.json
echo ""
# ---------------------------------------------------------------------------
echo "------------------------------------------------------------------"
echo "DRILL 6.5: ALERTING LOGIC"
echo "Health check patterns"
echo "------------------------------------------------------------------"
echo ""
echo "Command: ISE unhealthy check"
echo 'jq '"'"'if [.sessions[] | select(.state == "FAILED")] | length > 0 then "ALERT: Failed authentications detected" else "OK" end'"'"' /tmp/jq-ise.json'
jq 'if [.sessions[] | select(.state == "FAILED")] | length > 0 then "ALERT: Failed authentications detected" else "OK" end' /tmp/jq-ise.json
echo ""
echo "Command: K8s unhealthy pods"
echo 'jq -r '"'"'.items[] | select(.status.phase != "Running" or .status.containerStatuses[0].ready == false) | "UNHEALTHY: \(.metadata.namespace)/\(.metadata.name) (\(.status.phase))"'"'"' /tmp/jq-k8s.json'
jq -r '.items[] | select(.status.phase != "Running" or .status.containerStatuses[0].ready == false) | "UNHEALTHY: \(.metadata.namespace)/\(.metadata.name) (\(.status.phase))"' /tmp/jq-k8s.json
echo ""
# ---------------------------------------------------------------------------
echo "------------------------------------------------------------------"
echo "DRILL 6.6: COMBINING PATTERNS"
echo "Real-world monitoring dashboard data"
echo "------------------------------------------------------------------"
echo ""
echo "Command: ISE Summary Report"
echo 'jq '"'"'{
total_sessions: [.sessions[]] | length,
authenticated: [.sessions[] | select(.state == "AUTHENTICATED")] | length,
failed: [.sessions[] | select(.state == "FAILED")] | length,
by_method: (.sessions | group_by(.authMethod) | map({(..[0].authMethod): length}) | add),
avg_session_time: (([.sessions[].sessionTime] | add) / ([.sessions[]] | length) | floor)
}'"'"' /tmp/jq-ise.json'
jq '{total_sessions: [.sessions[]] | length, authenticated: [.sessions[] | select(.state == "AUTHENTICATED")] | length, failed: [.sessions[] | select(.state == "FAILED")] | length, by_method: (.sessions | group_by(.authMethod) | map({(.[0].authMethod): length}) | add), avg_session_time: (([.sessions[].sessionTime] | add) / ([.sessions[]] | length) | floor)}' /tmp/jq-ise.json
echo ""
# ---------------------------------------------------------------------------
echo "------------------------------------------------------------------"
echo "YOUR TURN - TRY THESE:"
echo "------------------------------------------------------------------"
echo ""
echo "1. Find MACs on specific NAS:"
echo " jq -r '.sessions[] | select(.nasIpAddress == \"10.50.1.10\") | .macAddress' /tmp/jq-ise.json"
echo ""
echo "2. K8s ready pod names only:"
echo " jq -r '.items[] | select(.status.containerStatuses[0].ready) | .metadata.name' /tmp/jq-k8s.json"
echo ""
echo "3. Total restarts across all pods:"
echo " jq '[.items[].status.containerStatuses[0].restartCount] | add' /tmp/jq-k8s.json"
echo ""
echo "------------------------------------------------------------------"
echo "KEY TAKEAWAYS:"
echo "1. group_by + map for aggregation by field"
echo "2. split(\"@\")[0] for string parsing"
echo "3. gsub for string replacement"
echo "4. startswith/endswith for filtering"
echo "5. Nested select for complex conditions"
echo "6. Build summary objects for dashboards"
echo "------------------------------------------------------------------"