last field Deprecated

[rafiki31130]

Hi, The 'last' field is deprecated in MISP. The right parameter tu use is timestamp, using the last field, the request take a lot longuer than expected and can generate timeouts on important sources.

Can me manualy managed with this parameter: json_request="{"timestamp":"1d"}" But it would be great if directly managed by the command.

Thanks !

[remg427]

Hi, thank you for email Yes normally with json_request you can query exactly like with REST client

Do you have link to documentation on using timestamp over last? I will align in a future release soon Remi

Le 3 avril 2023 12:11:46 GMT+02:00, rafiki31130 @.***> a écrit :

Hi, The 'last' field is deprecated in MISP. The right parameter tu use is timestamp, using the last field, the request take a lot longuer than expected and can generate timeouts on important sources.

Can me manualy managed with this parameter: json_request="{"timestamp":"1d"}" But it would be great if directly managed by the command.

Thanks !

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/230 You are receiving this because you are subscribed to this thread.

Message ID: @.***> -- Sent with K-9 Mail.

[rafiki31130]

Hi,

My bad, the documentation indicates well that the last field is deprecated but replaced by publish_timestamp, not timestamp.

However interesting fact: the requests over timestamp (corresponding to latest update time) are well faster than publish_timestamp (or last) surely because timestamp is indexed and the others aren't. Don't know if you want to take into account but it can be usefull.

Source, fields detailed list here: RESTful searches with XML result export

Kind regards, Christian