Getting Data In

splunk $result.fieldname$ token w/ json data not working

zhatsispgx
Path Finder

Hi all,

I have a scheduled search that runs against a json data sourcetype. Currently splunk extracts the fields correctly, however when I try to use a $result.fieldname$ token in my alert actions, its not working for json data.

Here is a sample event:

{       
     alert: {       
         action:     allowed    
         category:   Attempted Information Leak 
         gid:    1  
         rev:    8  
         severity:   2  
         signature:  ET WEB_SERVER DFind w00tw00t GET-Requests  
         signature_id:   2010794    
    }   
     dest_ip:    x.x.x.x    
     dest_port:  80 
     event_type:     alert  
     flow_id:    131265170182404    
     http:  {       
         hostname:   x.x.x.x    
         http_method:    GET    
         http_user_agent:    ZmEu   
         length:     0  
         protocol:   HTTP/1.1   
         url:    /w00tw00t.at.blackhats.romanian.anti-sec:) 
    }   
     payload_printable:  GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: x.x.x.x
Connection: Close

 proto:  TCP    
 src_ip:     x.x.x.x    
 src_port:   49102  
 stream:     1  
 timestamp:  2018-04-11T17:36:09.121597-0600    
 tx_id:  0  
}

my saved search tries to use the following field alert.signature for an alert action. So for example, if I wanted to send an email to myself as an alert action and have the value of alert.signature in the email body, I am trying by adding $result.alert.signature$ to the email body which isn't working. Is there a workaround for this? the $result.fieldname$ works fine for all other datatypes but json from what I can see.

0 Karma
1 Solution

zhatsispgx
Path Finder

woops should have tried this before I posted. just doing a |rename alert.signature as signature solved the issue. Apparently splunk tokens do not like nested json.

View solution in original post

zhatsispgx
Path Finder

woops should have tried this before I posted. just doing a |rename alert.signature as signature solved the issue. Apparently splunk tokens do not like nested json.

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...