Four broken EVAL statements within default/props.conf

[barrettnet]

There are 4 broken/incomplete EVAL statements within the app's default/props.conf

[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
EVAL-user_domain =

[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
EVAL-user_domain =

[source::XmlWinEventLog:Security]
EVAL-user_privilege_list = 

[source::WinEventLog:Security]
EVAL-user_privilege_list = 

In each case, there is nothing to the right of the equal sign which is causing Splunk to flag these as "Missing arguments" within its logs: index=_internal sourcetype=splunkd component=CalcFieldProcessor log_level=WARN TERM(Invalid) TERM(eval) TERM(expression)

[dstaulcu]

Nice find and search!

It does not appear that user_domain or user_privilege_list fields are referenced among savedsearches or macros. Seems like these entries would be safe to comment out or remove in props.conf

I am tempted to write an extraction for these fields but see that the user counterpart for user_domain field is an extraction of the Splunk_TA_Windows and not the Threathunting app. Do you think having access to values in these fields would be valuable to ThreatHunting at this time or are you mainly motivated to reduce warnings / noise in internal logs?

[dstaulcu]

Pull request #108 updated to include fix for this problem

[barrettnet]

My motivation was mainly to reduce the amount of warnings/errors within the internal logs. If the fields are not utilised by the app then I agree with just commenting out (or removing) the lines.

[olafhartong]

fixed by Deniz