Hi all,
I have a scheduled search that runs against a json data sourcetype. Currently splunk extracts the fields correctly, however when I try to use a $result.fieldname$
token in my alert actions, its not working for json data.
Here is a sample event:
{
alert: {
action: allowed
category: Attempted Information Leak
gid: 1
rev: 8
severity: 2
signature: ET WEB_SERVER DFind w00tw00t GET-Requests
signature_id: 2010794
}
dest_ip: x.x.x.x
dest_port: 80
event_type: alert
flow_id: 131265170182404
http: {
hostname: x.x.x.x
http_method: GET
http_user_agent: ZmEu
length: 0
protocol: HTTP/1.1
url: /w00tw00t.at.blackhats.romanian.anti-sec:)
}
payload_printable: GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: x.x.x.x
Connection: Close
proto: TCP
src_ip: x.x.x.x
src_port: 49102
stream: 1
timestamp: 2018-04-11T17:36:09.121597-0600
tx_id: 0
}
my saved search tries to use the following field alert.signature
for an alert action. So for example, if I wanted to send an email to myself as an alert action and have the value of alert.signature
in the email body, I am trying by adding $result.alert.signature$
to the email body which isn't working. Is there a workaround for this? the $result.fieldname$
works fine for all other datatypes but json from what I can see.
woops should have tried this before I posted. just doing a |rename alert.signature as signature
solved the issue. Apparently splunk tokens do not like nested json.
woops should have tried this before I posted. just doing a |rename alert.signature as signature
solved the issue. Apparently splunk tokens do not like nested json.