×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
joconnor
Explorer
Member since: ‎07-21-2022
‎10-14-2022
Community Statistics
Posts 6
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎07-21-2022
Activity Feed
View All

Re: Problem logging alerts to new index with key f...

by SplunkTrust in Alerting
‎10-14-2022 09:37 AM
‎10-14-2022 09:37 AM
I'd suspect that most probable culprits are line breaks and quotation marks. https://docs.splunk.com/Documentation/Splunk/9.0.1/Alert/EmailNotificationTokens#Result_tokens I don't see any mention about the fields being escaped in any way. So if you get, for example: { field1: "My result is: "whatever"!"} after substitiution of the tokens, it does not constitute a correct json document. You could try to escape "tricky" characters in your alert output so that the log event receives "safe" strings. ... View more

Re: SOAR / Phantom creating 8 identical artifacts ...

by in Splunk SOAR
‎07-21-2022 07:55 AM
‎07-21-2022 07:55 AM
@phanTom Resolved. Discovered it to be a setting in the advanced settings under the Phantom/SOAR App for Splunk config. By default it divides multi-value fields to be created as separate artifacts, but in my case was creating too much redundancy.  Thanks for your time. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-14-2022 12:07 PM