Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alerting with $field$ and conf.spec

jwhughes58
Contributor
‎09-14-2023 01:25 PM

I'm working with a custom TA, AlertAction_SFTP, that has the following .conf.spec file.

 

[my_sftp_alert_action]
param.sftp_server = <string>
param.sftp_user = <string>
param.sftp_rfile = <string>
param.sftp_key = <string>
param.ssh_key_dir = <string>
param.sftp_password = <string>

 

When I try to use $date$ in the file name, filename-$date$, I get "Remote path is invalid."  I've tried multiple ways of doing this including adding date to my search

 

index=vuln sourcetype="qualys:hostDetection" signature="SMB Version 1 Enabled" TAGS="*Server*" earliest=-1d@d latest=@d
| eval date=strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")
| table date, *

 

I've tried $results.date$, $date$, and a couple of other things.  Is there some reason that the rfile path must not use a Spunk variable?

TIA

Joe

Labels (1)
Labels
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...