topic Re: Why don't I see Splunk events for containers with Phantom-ingested emails? in Splunk SOAR https://community.splunk.com/t5/Splunk-SOAR/Why-don-t-I-see-Splunk-events-for-containers-with-Phantom/m-p/511482#M442 <P>The json logged by Phantom break's Splunk's parsing. Early fields in the json will be available for you to search on, but later fields such as label and status won't be automatically extracted.</P><P>I think the raw_email field is the one that breaks things. Based on a quick test, a json linter had no problem with what phantom was sending Splunk, so the issue seems more with Splunk parsing the dta.</P><P>As a workaround - extract the relevant fields at search time (or define your own local props):</P><LI-CODE lang="markup">index=phantom_container | rex "\x22label\x22: \x22(?&lt;label&gt;[^\x22]+)\x22" | rex "\x22status\x22: \x22(?&lt;status&gt;[^\x22]+)\x22" | search label!="servicenow-poll" status=new | eval _time = strptime(create_time,"%Y-%m-%dT%H:%M:%S") + 10*60*60 | stats min(_time) as _time, values(label) as label by id | timechart span=10m count by label</LI-CODE><P>&nbsp;</P> Wed, 29 Jul 2020 10:02:32 GMT gf13579 2020-07-29T10:02:32Z Why don't I see Splunk events for containers with Phantom-ingested emails? https://community.splunk.com/t5/Splunk-SOAR/Why-don-t-I-see-Splunk-events-for-containers-with-Phantom/m-p/511480#M441 <P>If I try to search phantom container events by label, status or several other fields, I don't see events relating to containers created by the email poll-based ingestion feature of Phantom.</P><P>Why don't they show up?</P> Wed, 29 Jul 2020 09:56:27 GMT https://community.splunk.com/t5/Splunk-SOAR/Why-don-t-I-see-Splunk-events-for-containers-with-Phantom/m-p/511480#M441 gf13579 2020-07-29T09:56:27Z Re: Why don't I see Splunk events for containers with Phantom-ingested emails? https://community.splunk.com/t5/Splunk-SOAR/Why-don-t-I-see-Splunk-events-for-containers-with-Phantom/m-p/511482#M442 <P>The json logged by Phantom break's Splunk's parsing. Early fields in the json will be available for you to search on, but later fields such as label and status won't be automatically extracted.</P><P>I think the raw_email field is the one that breaks things. Based on a quick test, a json linter had no problem with what phantom was sending Splunk, so the issue seems more with Splunk parsing the dta.</P><P>As a workaround - extract the relevant fields at search time (or define your own local props):</P><LI-CODE lang="markup">index=phantom_container | rex "\x22label\x22: \x22(?&lt;label&gt;[^\x22]+)\x22" | rex "\x22status\x22: \x22(?&lt;status&gt;[^\x22]+)\x22" | search label!="servicenow-poll" status=new | eval _time = strptime(create_time,"%Y-%m-%dT%H:%M:%S") + 10*60*60 | stats min(_time) as _time, values(label) as label by id | timechart span=10m count by label</LI-CODE><P>&nbsp;</P> Wed, 29 Jul 2020 10:02:32 GMT https://community.splunk.com/t5/Splunk-SOAR/Why-don-t-I-see-Splunk-events-for-containers-with-Phantom/m-p/511482#M442 gf13579 2020-07-29T10:02:32Z