Updating values with "0" during updating sighting by value

remg427 / misp42splunk

A Splunk app to use MISP in background

GNU Lesser General Public License v3.0

109 stars 30 forks source link

Updating values with "0" during updating sighting by value #207

Closed schimpy closed 3 days ago

schimpy commented 2 years ago

Hello team,

I managed to sent sightings from Splunk to MISP (both by attribute uuid and by value).

But when updating sighting by value, also all attributes with zero ("0") value in it got updated (plus all occurences "domain.net"). I am using following SPL:

| makeresults 
| eval misp_domain="domain.net"
| sendalert misp_alert_sighting param.misp_instance=misp_default param.title="TEST" param.mode="byvalue" param.type=1

Could you see a possible issue here?

schimpy commented 2 years ago

Hello @remg427,

Any updates on this issue? Were you able to replicate it at your env.?

Thank you in advance.

Br, schimpy

schimpy commented 2 years ago

Hello team, any updates on this?

schimpy commented 1 year ago

Hello @remg427, any updates on this issue?

remg427 commented 1 year ago

Hello, I finally had a look at this. sorry for too long time. on "all occurrences of domain.net are updated": this is expected when doing sighting by value.

"all attributes with zero ("0") value in it got updated ": I excluded 0 / "0" from list of values

schimpy commented 1 year ago

Hello @remg427, in which version is the bug fixed? Thanks

remg427 commented 1 year ago

Hello, this is fixed in the latest version 4.2.2