Missing Events

[idev]

Hello,

some Events are note getting imported - despite the fact the filter critirias are fullfilled. Is there something else which must be checked - e.g. Analysis "Completed" or not "organisation only"?

How can I debug why some sepcific Events are not getting imported into Splunk.

Kind regards

[idev]

Did some more research:

• I compared the missing event with events which are getting imported, only difference i notice is the "Publish -> not published" attribute and the "Distribution -> Organisation only"
• I also updated the event twice, to make sure the "last=1h" param trigger right

But the event is still not getting imported.

[idev]

What I also did is to check if the filter categories (which are used by the savedsearch) are correct:

|mispgetioc misp_instance=default_misp eventid=<missing_event_uuid> pipesplit=true add_description=true category="Antivirus detection,Artifacts dropped,External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" to_ids=true geteventtag=true warning_list=true"

which also is working and showing the event.

[idev]

So according to the documentation the param "last" is tied to the "the publish_timestamp", this could be my problem.

[remg427]

Hello,

Indeed last is an alias of publish timestamo You may try to add published=false Not sure Another way is to use date=YYYY-MM-DD this works on event date regardless of publication ststus

To debug set mode to info or debug In the search.log you have the request body in JSON so you can copy it and test directly with MISP REST GUI client.

You can likewise use MISP REST client to craft a complex search with all criteria you want and then use json_request=the json payload in mispgetioc

I am about of releasing 3.1.11 which is a huge improvement in quality and also usuability. It is already on github and soon on spkunkbase Remi

Le 8 mai 2020 16:07:53 GMT+02:00, idev notifications@github.com a écrit :

So according to the documentation last is tied to the "the publish_timestamp", this could be my problem.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/144#issuecomment-625833053

-- Sent with K-9 Mail.

[idev]

Thank you, this solved my issue.