Alerting with $field$ and conf.spec

Other Usage

I'm working with a custom TA, AlertAction_SFTP, that has the following .conf.spec file.

[my_sftp_alert_action]
param.sftp_server = <string>
param.sftp_user = <string>
param.sftp_rfile = <string>
param.sftp_key = <string>
param.ssh_key_dir = <string>
param.sftp_password = <string>

When I try to use $date$ in the file name, filename-$date$, I get "Remote path is invalid." I've tried multiple ways of doing this including adding date to my search

index=vuln sourcetype="qualys:hostDetection" signature="SMB Version 1 Enabled" TAGS="*Server*" earliest=-1d@d latest=@d
| eval date=strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")
| table date, *

I've tried $results.date$, $date$, and a couple of other things. Is there some reason that the rfile path must not use a Spunk variable?

TIA

Joe

Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Are you a member of the Splunk Community?