Splunk SOAR (f.k.a. Phantom)

Accessing JSON object with dot in name

alexgkirk
Explorer

I'm attempting to access a value returned from a previous block that performed a Splunk query, returning a field named "id.orig_h" as a result of the query. Using this syntax:

extIPs = phantom.collect2(container=container, datapath=['Execute_External_IP_Query:action_result.data.*.id.orig_h'])

I can readily access other fields from the search (i.e. the one named "uid"), but I'm getting NULL values returned for the field with the dot in its name. I've tried using "as" in my Splunk query to alias the field name to something without a dot, but that didn't make a difference. I'm assuming that there's some way to escape the dot in the field name, or quote the entire name such that it interprets things properly, but just can't find the syntax. Can anyone help?

Labels (2)
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@alexgkirk great news!! However I am curious is the spath fix works. Are you able to test and let me know? 

alexgkirk
Explorer

Good news, turns out I just missed a mapping that's already been done to resolve this - that field becomes dest_ip, which solves the problem.

Thanks in the meantime for the quick/helpful responses.

phanTom
SplunkTrust
SplunkTrust

@alexgkirk have you tried using spath to rename the json field in your SPL? This may create the outputted field differently than a simple 'as' rename?
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Spath

alexgkirk
Explorer

I'd be happy to, but it's less than clear to me from that article what the exact syntax is to do so. How exactly would I rename the field id.resp_h to be dest_ip?

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...