How to search for only not decayed attributes

[pietrogu]

Hi,

i need to search for all the attributes which are not decayed (based on a decaying model). Is it possible to search this? If not, is it possible to add this feature?

Thanks, Pietro

[remg427]

Hi, if you can search with REST client on misp, you can pass same payload (with proper escaped \") to param json_request of most of custom commands. See dashboards on MISP42 version 4.0.0 for practical search example. best, Rémi

[pietrogu]

Hi,

i tried to use the json_request but if I search for IoCs for the last 15 days (using date or last or timestamp inside the json_request) the search return me error code 1.

If I search for IoCs for the last 10 days the results arrives after several minutes (about 8 mins)

The search using default MISP42Splunk parameters and the one using json_request are different? maybe the first goes directly on mariadb?

[pietrogu]

Searching on web, maybe the solution to my problem could be using pagination. Is it possible a recursive search which go page for page?

[remg427]

Hi, that's odd. json_request should works like on misp. Could you paste your request? -- Sent with K-9 Mail.

[remg427]

Hi Misp42 commands support pagination (by default limit=1000 and page=1) Using splunk SPL and	map you maybe able to do a loop but what I ended up is to do several	append with different page id. You may also check with curl how your misp server behaves. Just to check that there is no issue with misp42 code. On my different implementations including quite large one it works with reasonable time 1 to 2 minutes Max. 8 is not normal

Sent with K-9 Mail.

[pietrogu]

I am using this query

| mispgetioc misp_instance=default_misp output=raw json_request="{ \"timestamp\":\"5d\",\"excludeDecayed\": \"1\",\"type\":{\"OR\": [\"ip-src\",\"ip-dst\",\"domain\"]}}" limit=0

where the desider value in timestamp is 365d

[pietrogu]

The problem was in my misp settings: raising max_request_time from 300 up to 1200 did the job. I close the issue