search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

last field Deprecated #230

Open rafiki31130 opened 1 year ago

rafiki31130 commented 1 year ago

Hi, The 'last' field is deprecated in MISP. The right parameter tu use is timestamp, using the last field, the request take a lot longuer than expected and can generate timeouts on important sources.

Can me manualy managed with this parameter: json_request="{\"timestamp\":\"1d\"}" But it would be great if directly managed by the command.

Thanks !

remg427 commented 1 year ago

Hi, thank you for email Yes normally with json_request you can query exactly like with REST client

Do you have link to documentation on using timestamp over last? I will align in a future release soon Remi

Le 3 avril 2023 12:11:46 GMT+02:00, rafiki31130 @.***> a écrit :

Hi, The 'last' field is deprecated in MISP. The right parameter tu use is timestamp, using the last field, the request take a lot longuer than expected and can generate timeouts on important sources.

Can me manualy managed with this parameter: json_request="{\"timestamp\":\"1d\"}" But it would be great if directly managed by the command.

Thanks !

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/230 You are receiving this because you are subscribed to this thread.

Message ID: @.***> -- Sent with K-9 Mail.

rafiki31130 commented 1 year ago

Hi,

My bad, the documentation indicates well that the last field is deprecated but replaced by publish_timestamp, not timestamp.

However interesting fact: the requests over timestamp (corresponding to latest update time) are well faster than publish_timestamp (or last) surely because timestamp is indexed and the others aren't. Don't know if you want to take into account but it can be usefull.

Source, fields detailed list here: RESTful searches with XML result export

Kind regards, Christian