Getting Data In

splunk $result.fieldname$ token w/ json data not working

zhatsispgx
Path Finder

Hi all,

I have a scheduled search that runs against a json data sourcetype. Currently splunk extracts the fields correctly, however when I try to use a $result.fieldname$ token in my alert actions, its not working for json data.

Here is a sample event:

{       
     alert: {       
         action:     allowed    
         category:   Attempted Information Leak 
         gid:    1  
         rev:    8  
         severity:   2  
         signature:  ET WEB_SERVER DFind w00tw00t GET-Requests  
         signature_id:   2010794    
    }   
     dest_ip:    x.x.x.x    
     dest_port:  80 
     event_type:     alert  
     flow_id:    131265170182404    
     http:  {       
         hostname:   x.x.x.x    
         http_method:    GET    
         http_user_agent:    ZmEu   
         length:     0  
         protocol:   HTTP/1.1   
         url:    /w00tw00t.at.blackhats.romanian.anti-sec:) 
    }   
     payload_printable:  GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: x.x.x.x
Connection: Close

 proto:  TCP    
 src_ip:     x.x.x.x    
 src_port:   49102  
 stream:     1  
 timestamp:  2018-04-11T17:36:09.121597-0600    
 tx_id:  0  
}

my saved search tries to use the following field alert.signature for an alert action. So for example, if I wanted to send an email to myself as an alert action and have the value of alert.signature in the email body, I am trying by adding $result.alert.signature$ to the email body which isn't working. Is there a workaround for this? the $result.fieldname$ works fine for all other datatypes but json from what I can see.

0 Karma
1 Solution

zhatsispgx
Path Finder

woops should have tried this before I posted. just doing a |rename alert.signature as signature solved the issue. Apparently splunk tokens do not like nested json.

View solution in original post

zhatsispgx
Path Finder

woops should have tried this before I posted. just doing a |rename alert.signature as signature solved the issue. Apparently splunk tokens do not like nested json.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...