Alerting with $field$ and conf.spec

Other Usage

I'm working with a custom TA, AlertAction_SFTP, that has the following .conf.spec file.

[my_sftp_alert_action]
param.sftp_server = <string>
param.sftp_user = <string>
param.sftp_rfile = <string>
param.sftp_key = <string>
param.ssh_key_dir = <string>
param.sftp_password = <string>

When I try to use $date$ in the file name, filename-$date$, I get "Remote path is invalid." I've tried multiple ways of doing this including adding date to my search

index=vuln sourcetype="qualys:hostDetection" signature="SMB Version 1 Enabled" TAGS="*Server*" earliest=-1d@d latest=@d
| eval date=strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")
| table date, *

I've tried $results.date$, $date$, and a couple of other things. Is there some reason that the rfile path must not use a Spunk variable?

TIA

Joe

Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...