I am trying to write a report of 'AccessDenied' messages in our AWS CloudTrail logs. These are in JSON format and the notable fields change depending on which service reports the error. So I am trying to simplify my results by comparing 2 fields:
and keeping whichever one is populated, e.g.
sourcetype=aws:cloudtrail errorCode="AccessDenied" | eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)
But it doesn't work? I've traced it back to something weird with the "requestParameters.Host" field -- which is 'nested' inside the JSON. The other field, "errorMessage" works as expected and that's probably because it's a 'first-level' field in the JSON (not a secondary/nested field)
It's like the "requestParameters.Host" field isn't a string, e.g. the following search also fails
sourcetype=aws:cloudtrail errorCode="AccessDenied" | eval test = requestParameters.Host
e.g. "test" is blank
I have also tried adding an "spath" command but I'm not sure how to use it. If I use the search UI's built-in "Add to search" it inserts:
sourcetype=aws:cloudtrail errorCode="AccessDenied" | spath "requestParameters.Host" | eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)
but that has no effect, i.e., "requestParameters.Host" is still a 'ghost' field which I cannot use in an 'eval' statement
try enclosing the field name requestParameters.Host With single quote like below in if statement:
Bah! It was as simple as that 🙂
I would have thought the single-quotes would be treating it as a string value, rather than the long-name of a variable.
double quotes for string. single quotes are used in eval command to identify field names if names contain space or any other special characters.