Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Accessing JSON object with dot in name

alexgkirk
Explorer
‎09-18-2020 01:17 PM

I'm attempting to access a value returned from a previous block that performed a Splunk query, returning a field named "id.orig_h" as a result of the query. Using this syntax:

extIPs = phantom.collect2(container=container, datapath=['Execute_External_IP_Query:action_result.data.*.id.orig_h'])

I can readily access other fields from the search (i.e. the one named "uid"), but I'm getting NULL values returned for the field with the dot in its name. I've tried using "as" in my Splunk query to alias the field name to something without a dot, but that didn't make a difference. I'm assuming that there's some way to escape the dot in the field name, or quote the entire name such that it interprets things properly, but just can't find the syntax. Can anyone help?

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎09-18-2020 01:36 PM

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎09-21-2020 07:58 AM

@alexgkirk great news!! However I am curious is the spath fix works. Are you able to test and let me know? 

Reply
Solved! Jump to solution

alexgkirk
Explorer
‎09-21-2020 04:34 AM

Good news, turns out I just missed a mapping that's already been done to resolve this - that field becomes dest_ip, which solves the problem.

Thanks in the meantime for the quick/helpful responses.

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎09-21-2020 02:06 AM

@alexgkirk have you tried using spath to rename the json field in your SPL? This may create the outputted field differently than a simple 'as' rename?
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Spath

Reply
Solved! Jump to solution

alexgkirk
Explorer
‎09-21-2020 08:44 AM

I'd be happy to, but it's less than clear to me from that article what the exact syntax is to do so. How exactly would I rename the field id.resp_h to be dest_ip?

0 Karma
Reply
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎09-18-2020 01:36 PM

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...