Solved: Re: Spath field extract with period

mpaw · ‎08-17-2020

Hi All,

I am trying to extract fields using spath command. I noticed that fields with period in it cannot be extracted; as for the other fields without period are being extracted correctly.

(EXAMPLE FIELDS: action.email AND alert.suppress.period)

Is there any workaround for this? Any help would be much appreciated. Thanks!

Here is my script:

| rest /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search
| eval value=spath(value,"{}")
| mvexpand value
| eval name = spath(value, "name")
| eval search = spath(value, "search")
| eval schedule = spath(value, "cron_schedule")
| eval status = spath(value, "disabled")
| eval send_email = spath(value, "action.email")
| eval suppress_period = spath(value, "alert.suppress.period")
| fields name, search, schedule, status, send_email, suppress_period

to4kawa · ‎08-17-2020

| spath input=value
and rename

View solution in original post

to4kawa · ‎08-17-2020

| eval send_email = spath(value, 'action.email')
| eval suppress_period = spath(value, 'alert.suppress.period')

try '(single quote)

mpaw · ‎08-17-2020

I tried the single quote but still no luck. 😢

to4kawa · ‎08-17-2020

| spath input=value
and rename

mpaw · ‎08-17-2020

It works! Thanks so much!

Spath field extract with period

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?