https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/511978#M143574 <P><STRONG>try enclosing the field name&nbsp;</STRONG><SPAN>requestParameters.Host With single quote like below in if statement:</SPAN></P><P>‘requestParameters.Host’</P> Fri, 31 Jul 2020 19:21:06 GMT thambisetty 2020-07-31T19:21:06Z https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/511959#M143564 <P>I am trying to write a report of 'AccessDenied' messages in our AWS CloudTrail logs. These are in JSON format and the notable fields change depending on which service reports the error. So I am trying to simplify my results by comparing 2 fields:</P><UL><LI>errorMessage</LI><LI>requestParameters.Host</LI></UL><P>and keeping whichever one is populated, e.g.</P><P>&nbsp;</P><LI-CODE lang="markup">sourcetype=aws:cloudtrail errorCode="AccessDenied" | eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)</LI-CODE><P>&nbsp;</P><P>But it doesn't work? I've traced it back to something weird with the "requestParameters.Host" field -- which is 'nested' inside the JSON. The other field, "errorMessage" works as expected and that's probably because it's a 'first-level' field in the JSON (not a secondary/nested field)</P><P>It's like the "requestParameters.Host" field isn't a string, e.g. the following search also fails</P><P>&nbsp;</P><LI-CODE lang="markup">sourcetype=aws:cloudtrail errorCode="AccessDenied" | eval test = requestParameters.Host</LI-CODE><P>&nbsp;</P><P>e.g. "test" is blank</P><P>------------------</P><P>I have also tried adding an "spath" command but I'm not sure how to use it. If I use the search UI's built-in "Add to search" it inserts:</P><P>&nbsp;</P><LI-CODE lang="markup">sourcetype=aws:cloudtrail errorCode="AccessDenied" | spath "requestParameters.Host" | eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)</LI-CODE><P>&nbsp;</P><P>but that has no effect, i.e., "requestParameters.Host" is still a 'ghost' field which I cannot use in an 'eval' statement</P> Fri, 31 Jul 2020 16:57:20 GMT https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/511959#M143564 ttovarzoll 2020-07-31T16:57:20Z https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/511978#M143574 <P><STRONG>try enclosing the field name&nbsp;</STRONG><SPAN>requestParameters.Host With single quote like below in if statement:</SPAN></P><P>‘requestParameters.Host’</P> Fri, 31 Jul 2020 19:21:06 GMT https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/511978#M143574 thambisetty 2020-07-31T19:21:06Z https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/511992#M143583 <P>Bah! It was as simple as that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I would have thought the single-quotes would be treating it as a string value, rather than the long-name of a variable.</P> Fri, 31 Jul 2020 23:12:28 GMT https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/511992#M143583 ttovarzoll 2020-07-31T23:12:28Z https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/512324#M143693 <P>double quotes for string. single quotes are used in eval command to identify field names if names contain space or any other special characters.</P> Tue, 04 Aug 2020 09:49:19 GMT https://community.splunk.com/t5/Splunk-Search/unable-to-manipulate-string-from-JSON-AWS-CloudTrail/m-p/512324#M143693 thambisetty 2020-08-04T09:49:19Z