I am trying to write a report of 'AccessDenied' messages in our AWS CloudTrail logs. These are in JSON format and the notable fields change depending on which service reports the error. So I am trying to simplify my results by comparing 2 fields:

• errorMessage
• requestParameters.Host

and keeping whichever one is populated, e.g.

sourcetype=aws:cloudtrail errorCode="AccessDenied"
| eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)

But it doesn't work? I've traced it back to something weird with the "requestParameters.Host" field -- which is 'nested' inside the JSON. The other field, "errorMessage" works as expected and that's probably because it's a 'first-level' field in the JSON (not a secondary/nested field)

It's like the "requestParameters.Host" field isn't a string, e.g. the following search also fails

sourcetype=aws:cloudtrail errorCode="AccessDenied"
| eval test = requestParameters.Host

e.g. "test" is blank

------------------

I have also tried adding an "spath" command but I'm not sure how to use it. If I use the search UI's built-in "Add to search" it inserts:

sourcetype=aws:cloudtrail errorCode="AccessDenied" 
| spath "requestParameters.Host"
| eval error = if( isnull(requestParameters.Host), errorMessage, requestParameters.Host)

but that has no effect, i.e., "requestParameters.Host" is still a 'ghost' field which I cannot use in an 'eval' statement