Getting Data In

splunk $result.fieldname$ token w/ json data not working

zhatsispgx
Path Finder

Hi all,

I have a scheduled search that runs against a json data sourcetype. Currently splunk extracts the fields correctly, however when I try to use a $result.fieldname$ token in my alert actions, its not working for json data.

Here is a sample event:

{       
     alert: {       
         action:     allowed    
         category:   Attempted Information Leak 
         gid:    1  
         rev:    8  
         severity:   2  
         signature:  ET WEB_SERVER DFind w00tw00t GET-Requests  
         signature_id:   2010794    
    }   
     dest_ip:    x.x.x.x    
     dest_port:  80 
     event_type:     alert  
     flow_id:    131265170182404    
     http:  {       
         hostname:   x.x.x.x    
         http_method:    GET    
         http_user_agent:    ZmEu   
         length:     0  
         protocol:   HTTP/1.1   
         url:    /w00tw00t.at.blackhats.romanian.anti-sec:) 
    }   
     payload_printable:  GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: x.x.x.x
Connection: Close

 proto:  TCP    
 src_ip:     x.x.x.x    
 src_port:   49102  
 stream:     1  
 timestamp:  2018-04-11T17:36:09.121597-0600    
 tx_id:  0  
}

my saved search tries to use the following field alert.signature for an alert action. So for example, if I wanted to send an email to myself as an alert action and have the value of alert.signature in the email body, I am trying by adding $result.alert.signature$ to the email body which isn't working. Is there a workaround for this? the $result.fieldname$ works fine for all other datatypes but json from what I can see.

0 Karma
1 Solution

zhatsispgx
Path Finder

woops should have tried this before I posted. just doing a |rename alert.signature as signature solved the issue. Apparently splunk tokens do not like nested json.

View solution in original post

zhatsispgx
Path Finder

woops should have tried this before I posted. just doing a |rename alert.signature as signature solved the issue. Apparently splunk tokens do not like nested json.

Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...