If the JWT fields are not being populated in your search results, first check to ensure that you are passing the JWT output to the
... | jwt field="request_headers" | spath input="jwt"
The JWT command does not automatically do this to provide you with the most flexibility as there may be cases where returning individual fields is not desirable.
If you do not see any JWT related output in your search results, it may be an indication that the field you have provided does not contain a valid JWT token.
However, if you are certain that valid JWT data exists, and you're still not seeing the
jwt field in the results, you can try the following steps to determine what may be causing the problem:
... | jwt field="request_headers" debug=True | spath input="jwt"
debug parameter will cause the JWT Decoder to return any errors encountered to Splunk.
Depending on your Splunk installation, this may result in one or more errors being displayed underneath the search bar with additional details about the error that is being encountered.
A log file is also created at the following location:
This file may contain additional errors or context for errors that have occurred with any search using the
jwt command, regardless of whether the
debug parameter was used in the search.
Send us a message! We'd be glad to help you.