remg427
commented
3 years ago Hi, thank you for using misp42splunk for behaviour of last, I simply relay and rely on MISP REST API behaviour. So yes last=24h will return all attributes of events which have been published in last 24h. If you want only attributes having timestamps for the last 24h you may test using date= that works on timestamps (not published_timestamps) or you can use attribute_timestamp in a json_request. if you go that way, you can test your request using MISP REST client and then take the JSON request back to splunk. You don't need to mention format json this is enforced. If you need some help to compute a dynamic timestamp I can share a SPL where I use a subsearch to prepare the JSON request with a relative timestamp. I heavily use parameter last in current behaviour to onboard only attributes of events published or shared in last 24h even if event date themselves are several months or years ago.
For example, running a query for the last 24 hours gets you all indicators in events that have been published in the last 24 hours. So if I have the default feeds enabled, the query will fetch every single indicator from a feed that has been updated in the last 24 hours, which is sometimes years worth of indicators. Is this intended behavior? Why not use the "attribute_timestamp" argument instead which would return only the indicators that have been added in the last 24 hours? I have the code ready to make this change, but as this is a significant departure from the current behavior wanted to get some developer feedback on it first.