Sigma2SplunkAlert icon indicating copy to clipboard operation
Sigma2SplunkAlert copied to clipboard

Published 20 hours ago verified publisher icon P4T12ICK

Feature Request: search by index time

Open a2tf opened this issue 5 years ago • 1 comments

Hi Patrick

Would it be nice to give one the option to search by index time? So no event would go missing if indexed later.

Or did you already implement this feature in another app? Didn't go through the code of your projects related to splunk.

Maybe just adding to search_transformations the option "by_indextime".

Let me know, i would provide the code, as I think we will try to use it like that in the future.

Andi

a2tf avatar Aug 30 '19 09:08 a2tf

Hi Andi,

that is a good idea and exactly the idea of search transformations. Everybody can add search transformations as needed and therefore adapt the detection rule to their needs. Thank you for your contribution.

Best regards, Patrick

P4T12ICK avatar Sep 02 '19 07:09 P4T12ICK