Solved: Accessing JSON object with dot in name

alexgkirk · ‎09-18-2020

I'm attempting to access a value returned from a previous block that performed a Splunk query, returning a field named "id.orig_h" as a result of the query. Using this syntax:

extIPs = phantom.collect2(container=container, datapath=['Execute_External_IP_Query:action_result.data.*.id.orig_h'])

I can readily access other fields from the search (i.e. the one named "uid"), but I'm getting NULL values returned for the field with the dot in its name. I've tried using "as" in my Splunk query to alias the field name to something without a dot, but that didn't make a difference. I'm assuming that there's some way to escape the dot in the field name, or quote the entire name such that it interprets things properly, but just can't find the syntax. Can anyone help?

sam_splunk · ‎09-18-2020

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example).

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

View solution in original post

phanTom · ‎09-21-2020

@alexgkirk great news!! However I am curious is the spath fix works. Are you able to test and let me know?

-- Hope this helps, if so consider leaving some Karma. Even better is if this fixed your issue, that you mark as a solution for others to find. Happy SOARing!! ---

alexgkirk · ‎09-21-2020

Good news, turns out I just missed a mapping that's already been done to resolve this - that field becomes dest_ip, which solves the problem.

Thanks in the meantime for the quick/helpful responses.

phanTom · ‎09-21-2020

@alexgkirk have you tried using spath to rename the json field in your SPL? This may create the outputted field differently than a simple 'as' rename?
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Spath

-- Hope this helps, if so consider leaving some Karma. Even better is if this fixed your issue, that you mark as a solution for others to find. Happy SOARing!! ---

alexgkirk · ‎09-21-2020

I'd be happy to, but it's less than clear to me from that article what the exact syntax is to do so. How exactly would I rename the field id.resp_h to be dest_ip?

sam_splunk · ‎09-18-2020

Hi @alexgkirk , accessing CEF fields with periods is problematic (and they actually cannot be defined within the platform's administrative UI). However, API calls and apps can still put them in, but accessing them in the playbooks is difficult. I'd recommend switching to a different convention (camelCase or snake_case, for example).

If you have to use a period - then you can access `'artifact:*.cef` and use a custom function to parse out the fields you want from the returned array of dictionaries.

Accessing JSON object with dot in name

development

using Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation