search

guilhemmarchand / TA-jira-service-desk-simple-addon

Atlasian JIRA add-on for Splunk alert actions
11 stars 8 forks source link

Ticket creation fails if a message contains a non latin-1 character #133

Closed sanjay900 closed 2 years ago

sanjay900 commented 2 years ago

I've noticed that in some of the tickets i am trying to create, the data happens to contain the – character, which isn't in the latin-1 codec. When i attempt to create these tickets in JIRA, i get the following error:

2022-05-02 07:29:02,726 ERROR pid=594145 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="JIRA Service Desk ticket creation has failed!:'latin-1' codec can't encode character '\u2013' in position 78: Body ('–') is not valid Latin-1. Use body.encode('utf-8') if you want to send it encoded in UTF-8." action_name="jira_service_desk" user="nobody" action_mode="saved" action_status="failure"

Is there a way to either filter these characters out, or to encode them correctly before sending them to JIRA?

guilhemmarchand commented 2 years ago

Hi @sanjay900

Right - do you have the raw message as it appears in Splunk?

guilhemmarchand commented 2 years ago

@sanjay900

Please do the following:

In DEBUG mode, the Add-on will log the entire JSON object that is sent to JIRA, then you can review the true content.

In the logs, look for "json data for final rest call"

The issue is an exception at the level of the call to JIRA, not happening for instance while the JSON object is formated. It sounds like the character is not accepted by JIRA.

This should be reproducible even via a CuRl call.

One option could be to force the Add-on to encode in UTF8, if you can share an example of what is failing, I can work on reproducing it.

guilhemmarchand commented 2 years ago

I have tried some variations of the char (which apprently is a "EN dash:) but could reproduce yet:

image

I tink forcing the data to be encoded in UTF8 should fix it but I am trying to make that sure first

sanjay900 commented 2 years ago

ill see if i can reproduce this again locally, interestingly enough i found that when i had a test case that would continuously log EN_DASHes, it worked sometimes and failed other times. I had to erase my testing splunk instance earlier today so ill have to set that up again.

guilhemmarchand commented 2 years ago

Would you have the chance to test this version?

https://github.com/guilhemmarchand/TA-jira-service-desk-simple-addon/releases/tag/2.0.9

It basically forces the UTF8 encoding, as per: https://github.com/guilhemmarchand/TA-jira-service-desk-simple-addon/commit/5ef417e09017330ef91e6591af9dc75d91bdcf9a#diff-dff5c7553a184c444f4ab7a19a8737025963ff7c2a851d69afe5e995fc7c816c

sanjay900 commented 2 years ago

Thank you, ill test this today

sanjay900 commented 2 years ago

It still seems to be happening, but now i think it happens when a comment is added while bumping a ticket I presume that just means the data used for creating a comment needs a force encode as well?

2022-05-05 06:35:48,624 INFO pid=2492198 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="Alert action jira_service_desk started." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651696500_3513" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 06:35:49,759 INFO pid=2492198 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-05-05 06:35:49,792 INFO pid=2492198 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: An issue with same md5 hash (f61d6bc73100e6b96a096dbf22569c6d) was found in the backlog collection, as jira_dedup is enabled a new comment will be added if the issue is active. (status is not resolved or any other done status), entry:={ "account" : "cybercx_soc", "jira_md5" : "f61d6bc73100e6b96a096dbf22569c6d", "ctime" : "1651695532.1686182", "mtime" : "1651695532.1686287", "status" : "created", "jira_id" : "124581", "jira_key" : "XXXXX-127", "jira_self" : "https://xxx.atlassian.net/rest/api/latest/issue/124581", "_user" : "nobody", "_key" : "f61d6bc73100e6b96a096dbf22569c6d" }" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651696500_3513" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 06:35:50,293 INFO pid=2492198 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: The issue with key XXXXX-127 was set to status: "Unacknowledged" (status category: "To Do"), therefore, a new comment will be added to this issue." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651696500_3513" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 06:35:50,298 ERROR pid=2492198 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="JIRA Service Desk ticket creation has failed!:'latin-1' codec can't encode character '\u2013' in position 86: Body ('–') is not valid Latin-1. Use body.encode('utf-8') if you want to send it encoded in UTF-8." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651696500_3513" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="failure"
2022-05-05 06:35:50,299 ERROR pid=2492198 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="message content={"body": "h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@2f1b4d9a85b3b58e8dbeb0b7d2dfdc48f0817e88c2b62a6877ea98f47d89df18\nTime: 2022-05-05T06:34:56+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@2f1b4d9a85b3b58e8dbeb0b7d2dfdc48f0817e88c2b62a6877ea98f47d89df18%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651695834.000000&latest=1651697034.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T06:33:54+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay| |\n|temp_vendor_product=MISSING| |\n|test=test –- test| |\n|user=sanjay| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@2f1b4d9a85b3b58e8dbeb0b7d2dfdc48f0817e88c2b62a6877ea98f47d89df18|\nh4. Next steps:\nMISSING\n\n----"}" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651696500_3513" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="failure"
guilhemmarchand commented 2 years ago

Thanks @sanjay900 ! Ha right indeed ;-)

Give me a few min

guilhemmarchand commented 2 years ago

@sanjay900

I have uploaded a new version, build 1651698925 You will find it in the release as previously. (the tgz is replaced)

This should force the utf8 encoding on the comment too

Let me know

sanjay900 commented 2 years ago

I've downloaded that build, and it still seems to be having the same issue

2022-05-05 08:44:05,414 INFO pid=2847477 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="Alert action jira_service_desk started." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651704180_22" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 08:44:06,653 INFO pid=2847477 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-05-05 08:44:06,685 INFO pid=2847477 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: An issue with same md5 hash (7c20881c01525543f7cc768759581ea4) was found in the backlog collection, as jira_dedup is enabled a new comment will be added if the issue is active. (status is not resolved or any other done status), entry:={ "account" : "xxxxxx_soc", "jira_md5" : "7c20881c01525543f7cc768759581ea4", "ctime" : "1651696610.877173", "mtime" : "1651696610.8771849", "status" : "created", "jira_id" : "124587", "jira_key" : "XXXXX-128", "jira_self" : "https://xxxxxx.atlassian.net/rest/api/latest/issue/124587", "_user" : "nobody", "_key" : "7c20881c01525543f7cc768759581ea4" }" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651704180_22" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 08:44:07,115 INFO pid=2847477 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: The issue with key XXXXX-128 was set to status: "Unacknowledged" (status category: "To Do"), therefore, a new comment will be added to this issue." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651704180_22" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 08:44:07,119 ERROR pid=2847477 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="JIRA Service Desk ticket creation has failed!:'latin-1' codec can't encode character '\u2013' in position 86: Body ('–') is not valid Latin-1. Use body.encode('utf-8') if you want to send it encoded in UTF-8." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651704180_22" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="failure"
2022-05-05 08:44:07,120 ERROR pid=2847477 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="message content={"body": "h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\nTime: 2022-05-05T08:42:23+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T08:35:47+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay2|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay2| |\n|temp_vendor_product=MISSING| |\n|test=test –- test| |\n|user=sanjay2| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\nh4. Next steps:\nMISSING\n\n----"}" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651704180_22" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="failure"
sanjay900 commented 2 years ago

Here is a failing event with the log level set to DEBUG

2022-05-05 09:06:48,585 INFO pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="Alert action jira_service_desk started." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 09:06:48,585 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="Get session_key." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,591 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="auth_type=basic" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,592 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="username=svc_mss_jira+captest@mxwservices.onmicrosoft.com" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,592 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_auth_mode=basic" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,592 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_url=https://xxxxxxcx.atlassian.net" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,593 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_ssl_certificate_validation=1" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,593 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="ssl_certificate_validation=True" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,593 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_ssl_certificate_path=0" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,594 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_ssl_certificate_path=0" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,594 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_passthrough_mode=0" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,594 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_passthrough_mode=0" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,595 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="passthrough_mode=False" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,601 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="Get session_key." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,864 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="splunkd_port=8089" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,865 INFO pid=2912021 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-05-05 09:06:49,866 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="proxy_url=None" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,866 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="use_proxy set to False" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,866 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_project=XXXXX" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,867 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_issue_type=Security Alert" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,867 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_priority=Low" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,868 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup_enabled=True" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,868 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup_exclude_statuses=Done" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,868 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: jira_dedup_full_mode is set to False, the md5 calculation scope will be restricted to the content of the jira_dedup_content." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,869 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup_content=Threat - Micro Search Pass Through (XXX) - STCAP UNDEFINED test –- test sanjay2" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,869 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_attachment=enabled_csv" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,869 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_attachment:=enabled_csv" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,870 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_attachment_token=/opt/splunk/var/run/splunk/dispatch/scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281/per_result_alert/tmp_0.csv.gz" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,870 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_customfields_parsing=enabled" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,870 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_customfields_parsing:=enabled" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,872 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="event=OrderedDict([('story_event_time', '2022-05-05T09:04:24+10:00'), ('story_event_id', 'A2FEDAAF-5C21-4230-9593-EF5C00779B5B@@notable@@3ae73a9aa7ffdf288eace8c9e11fddc6'), ('story_search_name', 'Threat - Micro Search Pass Through (XXX) - STCAP'), ('jira_priority', 'Low'), ('jira_summary', 'MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2'), ('aggregate_by', 'UNDEFINED test –- test sanjay2'), ('micro_event_search', '%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22'), ('jira_description', 'h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\nTime: 2022-05-05T09:04:24+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T08:35:47+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay2|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay2| |\n|temp_vendor_product=MISSING| |\n|test=test –- test| |\n|user=sanjay2| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\nh4. Next steps:\nMISSING\n\n----'), ('earliest_micro_event_time', '1651703147.000000'), ('latest_micro_event_time', '1651704347.000000'), ('jira_update_comment', 'h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\nTime: 2022-05-05T09:04:24+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T08:35:47+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay2|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay2| |\n|temp_vendor_product=MISSING| |\n|test=test –- test| |\n|user=sanjay2| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\nh4. Next steps:\nMISSING\n\n----'), ('__mv_story_event_time', ''), ('__mv_story_event_id', ''), ('__mv_story_search_name', ''), ('__mv_jira_priority', ''), ('__mv_jira_summary', ''), ('__mv_aggregate_by', ''), ('__mv_micro_event_search', ''), ('__mv_jira_description', ''), ('__mv_earliest_micro_event_time', ''), ('__mv_latest_micro_event_time', ''), ('__mv_jira_update_comment', ''), ('rid', '0')])" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,873 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_priority_dynamic=Low" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,873 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_summary=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,874 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_description=h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\nTime: 2022-05-05T09:04:24+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T08:35:47+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay2|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay2| |\n|temp_vendor_product=MISSING| |\n|test=test –- test| |\n|user=sanjay2| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\nh4. Next steps:\nMISSING\n\n----" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,874 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_assignee=" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,875 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_reporter=" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,875 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_labels=" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,875 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_components=" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,876 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_customfields_parsing=enabled" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,882 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_customfields=" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,882 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira priority is overridden by jira_priority_dynamic=Low" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,883 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="json raw data for final rest call before json.loads:=b'{\n"fields": {\n"project":\n {\n"key": "XXXXX"\n },\n"summary": "MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test \xe2\x80\x93- test sanjay2",\n"description": "h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test \xe2\x80\x93- test sanjay2\\nh3. Customer Zone: UNDEFINED\\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\\nTime: 2022-05-05T09:04:24+10:00\\n\\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\\nBase template for a generic Micro Search\\nTime: 2022-05-05T08:35:47+10:00\\n\\n||Actionable Information||Metadata||\\n|temp_any_user=sanjay2|detectframework=springsteen|\\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\\n|temp_user=sanjay2| |\\n|temp_vendor_product=MISSING| |\\n|test=test \xe2\x80\x93- test| |\\n|user=sanjay2| |\\n|vendor=MISSING| |\\n|vendor_product=MISSING| |\\n\\n||Additional Information||\\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\\nh4. Next steps:\\nMISSING\\n\\n----",\n"issuetype": {\n"name": "Security Alert"\n},\n "priority" : {\n"name": "Low"\n }\n}\n}'" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,883 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_md5sum:=7c20881c01525543f7cc768759581ea4" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,884 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="json data for final rest call:={
    "fields": {
        "project": {
            "key": "XXXXX"
        },
        "summary": "MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test \u2013- test sanjay2",
        "description": "h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test \u2013- test sanjay2\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\nTime: 2022-05-05T09:04:24+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T08:35:47+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay2|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay2| |\n|temp_vendor_product=MISSING| |\n|test=test \u2013- test| |\n|user=sanjay2| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\nh4. Next steps:\nMISSING\n\n----",
        "issuetype": {
            "name": "Security Alert"
        },
        "priority": {
            "name": "Low"
        }
    }
}" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,904 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="response status_code:=200" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,904 INFO pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: An issue with same md5 hash (7c20881c01525543f7cc768759581ea4) was found in the backlog collection, as jira_dedup is enabled a new comment will be added if the issue is active. (status is not resolved or any other done status), entry:={ "account" : "xxxxxxcx_soc", "jira_md5" : "7c20881c01525543f7cc768759581ea4", "ctime" : "1651696610.877173", "mtime" : "1651696610.8771849", "status" : "created", "jira_id" : "124587", "jira_key" : "XXXXX-128", "jira_self" : "https://xxxxxxcx.atlassian.net/rest/api/latest/issue/124587", "_user" : "nobody", "_key" : "7c20881c01525543f7cc768759581ea4" }" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 09:06:49,905 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_backlog_response_json:={'account': 'xxxxxxcx_soc', 'jira_md5': '7c20881c01525543f7cc768759581ea4', 'ctime': '1651696610.877173', 'mtime': '1651696610.8771849', 'status': 'created', 'jira_id': '124587', 'jira_key': 'XXXXX-128', 'jira_self': 'https://xxxxxxcx.atlassian.net/rest/api/latest/issue/124587', '_user': 'nobody', '_key': '7c20881c01525543f7cc768759581ea4'}" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,905 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_backlog_key:=XXXXX-128" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:49,905 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_url_status:=https://xxxxxxcx.atlassian.net/rest/api/latest/issue/XXXXX-128" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:50,481 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="response status_code:=200" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:50,482 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_issue_status:=Unacknowledged" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:50,482 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_issue_status_category:=To Do" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:50,483 INFO pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: The issue with key XXXXX-128 was set to status: "Unacknowledged" (status category: "To Do"), therefore, a new comment will be added to this issue." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="success"
2022-05-05 09:06:50,483 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_url:=https://xxxxxxcx.atlassian.net/rest/api/latest/issue/XXXXX-128/comment" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:50,484 DEBUG pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_update_comment:={"body": "h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\nTime: 2022-05-05T09:04:24+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T08:35:47+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay2|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay2| |\n|temp_vendor_product=MISSING| |\n|test=test –- test| |\n|user=sanjay2| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\nh4. Next steps:\nMISSING\n\n----"}" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved"
2022-05-05 09:06:50,488 ERROR pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="JIRA Service Desk ticket creation has failed!:'latin-1' codec can't encode character '\u2013' in position 86: Body ('–') is not valid Latin-1. Use body.encode('utf-8') if you want to send it encoded in UTF-8." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="failure"
2022-05-05 09:06:50,489 ERROR pid=2912021 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="message content={"body": "h3. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen - UNDEFINED test –- test sanjay2\nh3. Customer Zone: UNDEFINED\nThreat - Micro Search Pass Through (XXX) - STCAP - 1:1 Alarming mechanism for converting Micro Search outputs into notables XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29\nTime: 2022-05-05T09:04:24+10:00\n\nSplunk Search Results: [Click Here|https://192.168.2.190/en-US/app/search/search?q=%7C%20datamodel%20Micro_Search%20Micro_Search%20search%20%0A%7C%20search%20Micro_Search.micro_event_id%20IN%20(%22XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29%22)%0A%7C%20table%20_time%20Micro_Search.*%20%0A%7C%20%60initialize_micro_search_outputs%60%20%0A%7C%20table%20_time%20micro_search_name%20micro_event_id%20weighting%20aggregate_by%20metadata_*%20extracted_kvp%20*&earliest=1651703147.000000&latest=1651704347.000000&display.page.search.tab=statistics]\nh4. MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen\nBase template for a generic Micro Search\nTime: 2022-05-05T08:35:47+10:00\n\n||Actionable Information||Metadata||\n|temp_any_user=sanjay2|detectframework=springsteen|\n|temp_search_name=MSCAP - Latin1 Test - Micro Search (XXX) - Summary Gen| |\n|temp_user=sanjay2| |\n|temp_vendor_product=MISSING| |\n|test=test –- test| |\n|user=sanjay2| |\n|vendor=MISSING| |\n|vendor_product=MISSING| |\n\n||Additional Information||\n|micro_event_id=XXX_micro_search_staging@@d99697dac1d978e2e4e1a116d48607d775b98864ebe7bc0b60ce9d4de672ed29|\nh4. Next steps:\nMISSING\n\n----"}" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (XXX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9QYWNrYWdl__RMD5edb5e8eeca1be80b_at_1651705560_1281" rid="0" app="Splunk_TA_XXX_Springsteen_Package" user="nobody" action_mode="saved" action_status="failure"
sanjay900 commented 2 years ago

i did however find that changing the following seems to have fixed it

diff --git a/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py b/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py
index eb16a58..9bdbfa0 100755
--- a/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py
+++ b/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py
@@ -831,6 +831,9 @@ def query_url(helper, account, jira_auth_mode, jira_url, jira_username, jira_pas
                         data = '{"body": "New alert triggered: ' + jira_summary + '"}'
                     else:
                         data = jira_update_comment
+
+                    # Force encode UTF8
+                    data = data.encode('utf-8').decode('latin1')

                 # dedup is enabled but the issue was resolved, closed or cancelled
                 elif jira_dedup_enabled and jira_issue_status_category in jira_dedup_exclude_statuses:
guilhemmarchand commented 2 years ago

Thanks @sanjay900 Now that you shared an example (the full JSON) I will give it a check.

Forcing decode from latin1 would unlikely be relevant for everyone, it seems you have some extra fanciness in your case which leaded to that, while I think it's not a good idea (out of the TA I mean), the Add-on should get protected against such bad practices.

Will follow up.

sanjay900 commented 2 years ago

Yeah im not really sure why i needed that, but i found without decoding again for some reason it sent the string to JIRA with the b'' around it, causing JIRA to complain that it wasn't valid JSON, im sure theres a better fix there. clearly i was doing something wrong there but just wasn't really sure what. probably didnt need to be latin1 though, and there must be something somewhere im missing

sanjay900 commented 2 years ago

@guilhemmarchand Were you able to recreate the problem?

guilhemmarchand commented 2 years ago

Not yet @sanjay900 I gave it a try with your content without being able to make it fail.

I think somehow the encoding issue is coming from your JIRA which is unable to accept some special encoding conditions

sanjay900 commented 2 years ago

are you testing by creating a new ticket or bumping? It seems this only happens when bumping, never when creating a new ticket. The error isnt coming from JIRA either, its an error from the requests python module

I did a bunch of testing yesterday, and i have a ticket that uses the full ticket content when bumping. The initial ticket is created with the symbol, but the ticket fails to bump with that error.

sanjay900 commented 2 years ago

@guilhemmarchand I had a look at the differences from what is done for standard tickets vs bumping, and realised that copying the JSON loads and dumps from above also seems to fix the issues, and that seems a lot less hacky than what i tried doing before as well.

diff --git a/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py b/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py
index eb16a58..79fc2c5 100755
--- a/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py
+++ b/package/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py
@@ -831,7 +831,18 @@ def query_url(helper, account, jira_auth_mode, jira_url, jira_username, jira_pas
                         data = '{"body": "New alert triggered: ' + jira_summary + '"}'
                     else:
                         data = jira_update_comment

+                    # Force encode UTF8
+                    data = data.encode('utf-8')
+                    helper.log_debug("json raw data for final rest call before json.loads:={}".format(data))
+                    try:
+                        data = json.dumps(json.loads(data, strict=False), indent=4)
+                    except Exception as e:
+                        helper.log_error("json loads failed to accept some of the characters,"
+                                        " raw json data before json.loads:={}".format(data))
+                        raise e
+
+                    helper.log_debug("json data for final rest call:={}".format(data))
                 # dedup is enabled but the issue was resolved, closed or cancelled
                 elif jira_dedup_enabled and jira_issue_status_category in jira_dedup_exclude_statuses:
                     helper.log_info(
guilhemmarchand commented 2 years ago

What do you mean by "bumping" @sanjay900 ? (do you mean an update of an existing ticket?)

sanjay900 commented 2 years ago

@guilhemmarchand yeah, this seems to only happen when creating comments on an existing ticket, using jira_update_comment Makes sense why it took me ages to replicate it myself too as i didn't realise that was the cause at first.

It seems like the reason why the json.dumps / json.loads fixes it, is because it replaces the literal ‒ with an escape code of \u2012, and that then makes it compliant to latin-1. I suspect we don't actually need to force encode them either, i think just json.dumps / json.loads is all that is required, but the encoding doesn't seem to hurt.

https://github.com/guilhemmarchand/TA-jira-service-desk-simple-addon/pull/135

guilhemmarchand commented 2 years ago

Thanks @sanjay900 I will review this as soon as possible.

sanjay900 commented 2 years ago

@guilhemmarchand have you had any time to look into this?

guilhemmarchand commented 2 years ago

Hi @sanjay900 My apologise for the delay, I've been very busy and had to prioritise.

I will shortly review where we were on this issue

sanjay900 commented 2 years ago

No problem, thank you

sanjay900 commented 2 years ago

I think all that was needed was to merge https://github.com/guilhemmarchand/TA-jira-service-desk-simple-addon/pull/135 as that was found to be the fix for this issue while testing, and all its doing is applying the same json.dumps / json.loads mechanism that is used for creating issues to updating them

sanjay900 commented 2 years ago

Would I be able to get another 2.0.9 built so i can throw it on a testing splunk instance and see if its all working?

guilhemmarchand commented 2 years ago

@sanjay900

I am looking at a version 2.0.10 which is safer and better built on the Python side of things while handling the reconstruction of the JSON payload.

I was planning to ask you for some testing, likely by tomorrow.

That is, the way it is building currently the JSON data isn't very Pythonic and potentially subject to failure with extremely complex content, I got a version almost ready and will ping you in this thread shortly

guilhemmarchand commented 2 years ago

Can you check this version @sanjay900 please?

https://github.com/guilhemmarchand/TA-jira-service-desk-simple-addon/releases/tag/2.0.10

Let me know ;-)

sanjay900 commented 2 years ago

@guilhemmarchand It appears that ticket updating isn't working on 2.0.10, i get the following error (i will turn on debugging and see if i can get more logs soon)


2022-06-29 07:01:45,599 INFO pid=1716930 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="Alert action jira_service_desk started." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (CCX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9DU0FfUGFja2FnZQ__RMD5edb5e8eeca1be80b_at_1656450060_1129" rid="0" app="xxx" user="nobody" action_mode="saved" action_status="success"
2022-06-29 07:01:46,133 INFO pid=1716930 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-06-29 07:01:46,153 INFO pid=1716930 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: An issue with same md5 hash (91b1ae9213b52b24b76878f306a334d5) was found in the backlog collection, as jira_dedup is enabled a new comment will be added if the issue is active. (status is not resolved or any other done status), entry:={ "account" : "cybercx_soc", "jira_md5" : "91b1ae9213b52b24b76878f306a334d5", "ctime" : "1656450047.8596678", "mtime" : "1656450047.8596776", "status" : "created", "jira_id" : "205109", "jira_key" : "CAPTIC-330", "jira_self" : "xxx", "_user" : "nobody", "_key" : "91b1ae9213b52b24b76878f306a334d5" }" action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (CCX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9DU0FfUGFja2FnZQ__RMD5edb5e8eeca1be80b_at_1656450060_1129" rid="0" app="Splunk_TA_CCX_Springsteen_CSA_Package" user="nobody" action_mode="saved" action_status="success"
2022-06-29 07:01:46,708 INFO pid=1716930 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="jira_dedup: The issue with key CAPTIC-330 was set to status: "Unacknowledged" (status category: "To Do"), therefore, a new comment will be added to this issue." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (CCX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9DU0FfUGFja2FnZQ__RMD5edb5e8eeca1be80b_at_1656450060_1129" rid="0" app="xxx" user="nobody" action_mode="saved" action_status="success"
2022-06-29 07:01:46,709 ERROR pid=1716930 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="Error: 'in <string>' requires string as left operand, not dict. Please double check spelling and also verify that a compatible version of Splunk_SA_CIM is installed." action_name="jira_service_desk" search_name="Threat - Notable Event to Notification - JIRA (CCX) - NTCAP" sid="scheduler__nobody_U3BsdW5rX1RBX0NDWF9TcHJpbmdzdGVlbl9DU0FfUGFja2FnZQ__RMD5edb5e8eeca1be80b_at_1656450060_1129" rid="0" app="xxx" user="nobody" action_mode="saved" action_status="failure"
sanjay900 commented 2 years ago

@guilhemmarchand I have found the issue, https://github.com/guilhemmarchand/TA-jira-service-desk-simple-addon/pull/139 with this, issue updating works perfectly fine including with that EN_DASH (–) character.

guilhemmarchand commented 2 years ago

Thank you @sanjay900 ! I have merged your pull request, and updated the preview release of 2.0.10.

I need to perform a bit more of testing before stating the release to be ready for publishing, especially on custom fields, assignee and reporter.

And again thanks for your help, very much appreciated!

Work in progress but hopefully it is ready for publishing ;-)

sanjay900 commented 2 years ago

Fantastic stuff, just did a test with the preview release and it seems to be working just fine there too :) Thank you

sanjay900 commented 2 years ago

@guilhemmarchand how is the testing going?

sanjay900 commented 2 years ago

@guilhemmarchand any updates?

sanjay900 commented 2 years ago

Interestingly, i came across yet another issue that this would solve as well, and im currently just having to construct spl to escape all the characters for me which is something i would prefer not to have to do

guilhemmarchand commented 2 years ago

Hi @sanjay900 !

I will publish the new release tomorrow, all is green now, sorry for the very long delay but I couldn't afford all the time I would have wanted to.

sanjay900 commented 2 years ago

Thank you, all good i get not having enough time to work on these sorts of things

sanjay900 commented 2 years ago

If you need a hand with working on this I would be happy to give you more a hand with it, i've become quite reliant on this TA so I wouldn't mind contributing more to it if that helps you?

guilhemmarchand commented 2 years ago

@sanjay900

Version 2.0.10 was finally published today! I have had some final issues with the custom field parsing topic, which is still not up to the level of quality I would like it to be but I think everything should be working fine.

I'd be happy if you want to contibute in improving the app indeed! Let's start from this release and let me know if you find anything going wrong ;-)

sanjay900 commented 2 years ago

@sanjay900

Version 2.0.10 was finally published today! I have had some final issues with the custom field parsing topic, which is still not up to the level of quality I would like it to be but I think everything should be working fine.

I'd be happy if you want to contibute in improving the app indeed! Let's start from this release and let me know if you find anything going wrong ;-)

Is there a reason why the new package isn't available for splunk cloud yet? I presume theres some sort of delay on splunks end while they vet it? Any idea how long that process usually takes?

guilhemmarchand commented 2 years ago

Hey @sanjay900 It usually takes a week or so nowadays, it used to be different and much more difficult but got improved lately. (Splunk Cloud automated app vetting) Appinspect passes successfully so I expect it to be imminent

sanjay900 commented 2 years ago

Seems to be working well, have deployed this to quite a few stacks now and it all seems stable

guilhemmarchand commented 2 years ago

Hey @sanjay900 Thanks for sharing this, it's reallty great news ;-) Anything you notice, please let me know!