Event Management - Event Rule Manual Attribute not populating in alert (value appears as <<UNKNOWN>>)

scocuzza · ‎02-06-2019

We have our events being populated with the following custom field (string)

We setup the Event Rule as follows

Our alerts will not populate with the sys_id's from the events

Only hardcoding the value gets the value propagated. Example setting the event rule as u_splunk_affected_platform is TEST
will propagate properly to the alert... but the ${u_splunk_affected_platform} value does not reference the sys_id properly that we want sent to the alert

Jeff Mayrand1 · ‎04-10-2020

Hi, I was curious if you were able to figure out why this is happening? We are having similar issues where any of the regex or additional fields are producing the same <<unknown>> on the alert. I opened a case with HI support and am awaiting a response.

Vivek47 · ‎04-15-2020

Hi Jeff, Did you get any solution for this issue, I am also facing the same problem. Getiing UNKNOWN in alert's fields while using regex variable.

Jeff Mayrand1 · ‎04-22-2020

Yes. I did. It was the json payload that was coming in.

You need to really watch for values that come in that include additional double quotes as it will cause problems in the parsing.

Also when you do a webhook make sure you are formatting in such a way that you escape \ the quotes your using around the keys and values.

A nice tool to check your payload for errors can be found at jsonblob.com simply cut and paste what was received in the event to it and look for structure errors.

Hope this helps!

Jeff