Invalid eval expression - EVAL-file_extension

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

MIT License

1.12k stars 175 forks source link

Invalid eval expression - EVAL-file_extension #85

Closed barrettnet closed 2 years ago

barrettnet commented 2 years ago

I've just installed v1.5.0 of the app from SplunkBase and I'm seeing errors in index=_internal saying "Invalid eval expression for 'EVAL-file_extension` in stanza [source::WinEventLog:Microsoft-Windows-Sysmon/Operational]: Missing arguments."

Looking at props.conf - I can see the line: EVAL-file_extension = ie there is nothing to the right of the equal sign.

olafhartong commented 2 years ago

cleaned that up too, thanks