Splunk SOAR

Accessing JSON object with dot in name

alexgkirk
Explorer

I'm attempting to access a value returned from a previous block that performed a Splunk query, returning a field named "id.orig_h" as a result of the query. Using this syntax:

extIPs = phantom.collect2(container=container, datapath=['Execute_External_IP_Query:action_result.data.*.id.orig_h'])

I can readily access other fields from the search (i.e. the one named "uid"), but I'm getting NULL values returned for the field with the dot in its name. I've tried using "as" in my Splunk query to alias the field name to something without a dot, but that didn't make a difference. I'm assuming that there's some way to escape the dot in the field name, or quote the entire name such that it interprets things properly, but just can't find the syntax. Can anyone help?

Labels (2)
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@alexgkirk great news!! However I am curious is the spath fix works. Are you able to test and let me know? 

alexgkirk
Explorer

Good news, turns out I just missed a mapping that's already been done to resolve this - that field becomes dest_ip, which solves the problem.

Thanks in the meantime for the quick/helpful responses.

phanTom
SplunkTrust
SplunkTrust

@alexgkirk have you tried using spath to rename the json field in your SPL? This may create the outputted field differently than a simple 'as' rename?
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Spath

alexgkirk
Explorer

I'd be happy to, but it's less than clear to me from that article what the exact syntax is to do so. How exactly would I rename the field id.resp_h to be dest_ip?

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example). 

 

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...