topic Re: splunk $result.fieldname$ token w/ json data not working in Getting Data In https://community.splunk.com/t5/Getting-Data-In/splunk-result-fieldname-token-w-json-data-not-working/m-p/329423#M61095 <P>woops should have tried this before I posted. just doing a <CODE>|rename alert.signature as signature</CODE> solved the issue. Apparently splunk tokens do not like nested json. </P> Thu, 12 Apr 2018 21:23:53 GMT zhatsispgx 2018-04-12T21:23:53Z splunk $result.fieldname$ token w/ json data not working https://community.splunk.com/t5/Getting-Data-In/splunk-result-fieldname-token-w-json-data-not-working/m-p/329422#M61094 <P>Hi all, </P> <P>I have a scheduled search that runs against a json data sourcetype. Currently splunk extracts the fields correctly, however when I try to use a <CODE>$result.fieldname$</CODE> token in my alert actions, its not working for json data. </P> <P>Here is a sample event:</P> <PRE><CODE>{ alert: { action: allowed category: Attempted Information Leak gid: 1 rev: 8 severity: 2 signature: ET WEB_SERVER DFind w00tw00t GET-Requests signature_id: 2010794 } dest_ip: x.x.x.x dest_port: 80 event_type: alert flow_id: 131265170182404 http: { hostname: x.x.x.x http_method: GET http_user_agent: ZmEu length: 0 protocol: HTTP/1.1 url: /w00tw00t.at.blackhats.romanian.anti-sec:) } payload_printable: GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: ZmEu Host: x.x.x.x Connection: Close proto: TCP src_ip: x.x.x.x src_port: 49102 stream: 1 timestamp: 2018-04-11T17:36:09.121597-0600 tx_id: 0 } </CODE></PRE> <P>my saved search tries to use the following field <CODE>alert.signature</CODE> for an alert action. So for example, if I wanted to send an email to myself as an alert action and have the value of <CODE>alert.signature</CODE> in the email body, I am trying by adding <CODE>$result.alert.signature$</CODE> to the email body which isn't working. Is there a workaround for this? the <CODE>$result.fieldname$</CODE> works fine for all other datatypes but json from what I can see. </P> Thu, 12 Apr 2018 18:33:36 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-result-fieldname-token-w-json-data-not-working/m-p/329422#M61094 zhatsispgx 2018-04-12T18:33:36Z Re: splunk $result.fieldname$ token w/ json data not working https://community.splunk.com/t5/Getting-Data-In/splunk-result-fieldname-token-w-json-data-not-working/m-p/329423#M61095 <P>woops should have tried this before I posted. just doing a <CODE>|rename alert.signature as signature</CODE> solved the issue. Apparently splunk tokens do not like nested json. </P> Thu, 12 Apr 2018 21:23:53 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-result-fieldname-token-w-json-data-not-working/m-p/329423#M61095 zhatsispgx 2018-04-12T21:23:53Z