Hi all,

I have a scheduled search that runs against a json data sourcetype. Currently splunk extracts the fields correctly, however when I try to use a $result.fieldname$ token in my alert actions, its not working for json data.

Here is a sample event:

{       
     alert: {       
         action:     allowed    
         category:   Attempted Information Leak 
         gid:    1  
         rev:    8  
         severity:   2  
         signature:  ET WEB_SERVER DFind w00tw00t GET-Requests  
         signature_id:   2010794    
    }   
     dest_ip:    x.x.x.x    
     dest_port:  80 
     event_type:     alert  
     flow_id:    131265170182404    
     http:  {       
         hostname:   x.x.x.x    
         http_method:    GET    
         http_user_agent:    ZmEu   
         length:     0  
         protocol:   HTTP/1.1   
         url:    /w00tw00t.at.blackhats.romanian.anti-sec:) 
    }   
     payload_printable:  GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: x.x.x.x
Connection: Close

 proto:  TCP    
 src_ip:     x.x.x.x    
 src_port:   49102  
 stream:     1  
 timestamp:  2018-04-11T17:36:09.121597-0600    
 tx_id:  0  
}

my saved search tries to use the following field alert.signature for an alert action. So for example, if I wanted to send an email to myself as an alert action and have the value of alert.signature in the email body, I am trying by adding $result.alert.signature$ to the email body which isn't working. Is there a workaround for this? the $result.fieldname$ works fine for all other datatypes but json from what I can see.