Splunk SOAR (f.k.a. Phantom)

Accessing JSON object with dot in name

alexgkirk
Explorer

I'm attempting to access a value returned from a previous block that performed a Splunk query, returning a field named "id.orig_h" as a result of the query. Using this syntax:

extIPs = phantom.collect2(container=container, datapath=['Execute_External_IP_Query:action_result.data.*.id.orig_h'])

I can readily access other fields from the search (i.e. the one named "uid"), but I'm getting NULL values returned for the field with the dot in its name. I've tried using "as" in my Splunk query to alias the field name to something without a dot, but that didn't make a difference. I'm assuming that there's some way to escape the dot in the field name, or quote the entire name such that it interprets things properly, but just can't find the syntax. Can anyone help?

Labels (2)
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@alexgkirk great news!! However I am curious is the spath fix works. Are you able to test and let me know? 

alexgkirk
Explorer

Good news, turns out I just missed a mapping that's already been done to resolve this - that field becomes dest_ip, which solves the problem.

Thanks in the meantime for the quick/helpful responses.

phanTom
SplunkTrust
SplunkTrust

@alexgkirk have you tried using spath to rename the json field in your SPL? This may create the outputted field differently than a simple 'as' rename?
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Spath

alexgkirk
Explorer

I'd be happy to, but it's less than clear to me from that article what the exact syntax is to do so. How exactly would I rename the field id.resp_h to be dest_ip?

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...