Alerting with $field$ and conf.spec

Other Usage

I'm working with a custom TA, AlertAction_SFTP, that has the following .conf.spec file.

[my_sftp_alert_action]
param.sftp_server = <string>
param.sftp_user = <string>
param.sftp_rfile = <string>
param.sftp_key = <string>
param.ssh_key_dir = <string>
param.sftp_password = <string>

When I try to use $date$ in the file name, filename-$date$, I get "Remote path is invalid." I've tried multiple ways of doing this including adding date to my search

index=vuln sourcetype="qualys:hostDetection" signature="SMB Version 1 Enabled" TAGS="*Server*" earliest=-1d@d latest=@d
| eval date=strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")
| table date, *

I've tried $results.date$, $date$, and a couple of other things. Is there some reason that the rfile path must not use a Spunk variable?

TIA

Joe

Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...