Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alerting with $field$ and conf.spec

jwhughes58
Contributor
‎09-14-2023 01:25 PM

I'm working with a custom TA, AlertAction_SFTP, that has the following .conf.spec file.

 

[my_sftp_alert_action]
param.sftp_server = <string>
param.sftp_user = <string>
param.sftp_rfile = <string>
param.sftp_key = <string>
param.ssh_key_dir = <string>
param.sftp_password = <string>

 

When I try to use $date$ in the file name, filename-$date$, I get "Remote path is invalid."  I've tried multiple ways of doing this including adding date to my search

 

index=vuln sourcetype="qualys:hostDetection" signature="SMB Version 1 Enabled" TAGS="*Server*" earliest=-1d@d latest=@d
| eval date=strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")
| table date, *

 

I've tried $results.date$, $date$, and a couple of other things.  Is there some reason that the rfile path must not use a Spunk variable?

TIA

Joe

Labels (1)
Labels
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...