misp42splunk icon indicating copy to clipboard operation
misp42splunk copied to clipboard

Published 20 hours ago verified publisher icon remg427

Last should use "timestamp" and not "published_timestamp"

Open romainw opened this issue 11 months ago • 1 comments

Thanks a lot for this great Splunk app.

For all practical purposes, it seems "last" should be matching the event's "timestamp" and not "published_timestamp".

For example currently, if I setup a new MISP instance with events pulled from a remote instance from the last year, and set "last=1d", all the events from the last year will be returned, regardless of their actual timestamps. This is because having a new MISP instance means all these old events will be republished "today". Using "timestamps" should allow the correct date to be used for filtering out older events.

Thanks, Romain.

romainw avatar Feb 29 '24 23:02 romainw

Hi Romain, Thank you for using misp42 and kind words

Yes last is equivalent to published_timestamp on MISP API endpoints

I didn't know about this issue for newly installed MISP instance You may use parameter date= that works on the date declared for the MISP event Or select the timestamp keys supported by restSearch endpoints and build a custom JSON body. In that case mispfetch might be easier using tojson to prepare it

Thanks Remi

remg427 avatar Mar 05 '24 16:03 remg427