search

SigmaHQ / pySigma-backend-splunk

pySigma Splunk backend
GNU Lesser General Public License v2.1
33 stars 17 forks source link

Single quoting of field names breaking SPL #7

Closed xv-nathan-h closed 2 years ago

xv-nathan-h commented 2 years ago

I just updated to v0.3.4 and had one of my generated SPL queries break due to the change in the handling of field names with spaces introduced in commit 84b19e6. It appears that this line is setting the transformer to use single quotes (sigma/backends/splunk/splunk.py line 38)

    field_quote: ClassVar[str] = "'"

The generated SPL then has single quotes around the field name, which at least Splunk Cloud 8.2.2203.3 does not work with. Changing the single quotes to double quotes seems to work fine. I'm not sure if there's potentially a Splunk version difference around this or not.

thomaspatzke commented 2 years ago

@d1vious @P4T12ICK can you confirm that field names with spaces must be quoted with double quotes `"``? I inferred the single quote for the search command from the eval usage.

thomaspatzke commented 2 years ago

Just confirmed myself 😉 In search context it's indeed the double quote. I fix this...

@d1vious @P4T12ICK new todo: improve the Splunk docs 😁😉

thomaspatzke commented 2 years ago

Fixed!

thomaspatzke commented 2 years ago

pySigma-backend-splunk release 0.3.5, integrated in sigma-cli 0.4.7.