mispgetevent ConnectionError

[damoklov]

Greetings!

I have encountered a problem with |mispgetevent command in Splunk environment. The issue seems to be when requesting events for a long period of time, e.g. 60 days. Although when executing |mispgetevent last=60m it is working fine, returning 1 event as it is in my MISP instance. This can be seen in the screenshots attached.

I would like to know whether there is a problem on my side, or it is connected with Python 2.7 and its requests module?

Maybe there is then a way to fetch events with some specific parameters like IP address for the last day/week/month in some different way? Thank you in advance, I would appreciate any help :)

[remg427]

Hello, Could you try in your MISP using the REST client to check whether you have the same issue or not Which version of Splunk and misp42splunk? -- Sent with K-9 Mail.

[damoklov]

@remg427 Thanks for a quick reply!

MISP42 v3.1.4 Splunk v8.0.1

Via the REST API I can fetch data about single event using, for example, this query:

curl --header "Authorization: <api-key>" -- header "Accept: application/json" -- header "Content-Type: application/json" -k https://192.168.56.108/events/xml/download/2170

With this command I receive an empty XML response:

curl --header "Authorization: <api-key>" -- header "Accept: application/json" -- header "Content-Type: application/json" -k https://192.168.56.108/events/xml/download/false/true/false/false/false/20m

Response:

<?xml version="1.0" encoding="UTF-8">
<response></response>

And with this command I receive an error:

curl --header "Authorization: <api-key>" -- header "Accept: application/json" -- header "Content-Type: application/json" -k https://192.168.56.108/events/xml/download/false/true/false/false/false/2d

Error:

 curl: (52) Empty reply from server

As far as I see, the maximum amount of time events can be fetched for is 60m.

[remg427]

Hello, sorry for late reply. REST API endpoints are https://your.misp.instance/events/restSearch or /attributes/restSearch