All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Security Essentials: 'mvmap' function is unsupported or undefined

unknown_platfor
Engager
‎11-08-2020 07:40 PM

Splunk Cloud: v7.2.9

SSE: v3.2.0

In SSE, under Analytics Advisor > MITRE ATT&CK Framework > Available Content > MITRE Att&CK Matrix I am getting the error:

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.
 error.png

 

SPL for search

 

 

| mitremap popular_only="$show_popular_techniques$" content_available=$show_content_available$ groups="$threat_group$" platforms="$mitre_platforms$"
| foreach *
    [ | rex field="<<FIELD>>" "(?<technique_temp>.*) \("
    | eval Technique_nogroups=coalesce(technique_temp,'<<FIELD>>')
    | eval "<<FIELD>> Tactic" = "<<FIELD>>"
    | eval Matrix="Enterprise ATT&CK"
    | eval "Sub-Technique"="-"
    | lookup mitre_environment_count.csv Matrix "Sub-Technique" Technique AS Technique_nogroups, "Tactic" AS "<<FIELD>> Tactic" OUTPUT "Active" "Available" "Needs data" "Data Source"
    | eval "Data Source"=split('Data Source',",")
    | eval "Data Source"=mvfilter($data_sources_selected_filter$)
    | rex field="Data Source" "(?<Data_Source>[^:]*)::(?<Data_Source_Count>.*)"
    | rename Data_Source AS "Data Source"
    | eval Selected=if(in('Data Source',$datasource_selection$) , Data_Source_Count,0)
    | eval Selected=tonumber(coalesce(mvindex(Selected,0,0),0))+tonumber(coalesce(mvindex(Selected,1,1),0))+tonumber(coalesce(mvindex(Selected,2,2),0))+tonumber(coalesce(mvindex(Selected,3,3),0))+tonumber(coalesce(mvindex(Selected,4,4),0))+tonumber(coalesce(mvindex(Selected,5,5),0))+tonumber(coalesce(mvindex(Selected,6,6),0))
    | fields - Technique_nogroups technique_temp "Sub-Technique"
    | eval count = coalesce(count, 1), temp = "t" + count, {temp}='<<FIELD>>', color="#00A9F8", colorby="$colorby$"

    | eval text='<<FIELD>>'
    | eval p0_count=coalesce(Active,0)
    | eval p1_count=coalesce(Available,0)
    | eval p2_count=coalesce('Needs data',0)
    | eval p3_count=coalesce('Selected',0)
    | eval total_count=p0_count+p1_count+p2_count
    | eval opacity=tostring(case(
        colorby="Active",p0_count/20,
        colorby="Available",p1_count/20,
        colorby="Needs data",p2_count/20,
        colorby="Total",total_count/20
        ))
    | eval tooltip="Active: ".p0_count."<br />"."Available: ".p1_count."<br />"."Needs data: ".p2_count."<br />"."Total: ".total_count."<br />"."Selected: ".p3_count
    | eval "<<FIELD>>_Groups"=rtrim(mvindex(split('text', " ("),1),")")
    | eval "Technique"=mvindex(split('text', " ("),0)
    | lookup mitre_matrix_list.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique OUTPUT TechniqueId AS "<<FIELD>>"_TechniqueId 
    | eval IsSubTechnique="Yes"
    | lookup mitre_environment_count.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique IsSubTechnique OUTPUT "Sub-Technique" Active AS Active_SubTechnique Available AS Available_SubTechnique "Needs data" AS "Needs Data_SubTechnique" Sub_Technique_Total AS Total_SubTechnique
    | eval Opacity_SubTechnique=case(
    colorby="Active", mvmap(Active_SubTechnique,Active_SubTechnique/10),
    colorby="Available", mvmap(Available_SubTechnique,Available_SubTechnique/10),
    colorby="Needs data", mvmap('Needs Data_SubTechnique','Needs Data_SubTechnique'/10),
    colorby="Total", mvmap(Total_SubTechnique,Total_SubTechnique/10)
    )
    | eval Color_SubTechnique=mvmap(Active_SubTechnique,'color')
    | eval Active_SubTechniqueJson=mvmap(Active_SubTechnique,"\"Active\": ".Active_SubTechnique),Available_SubTechniqueJson=mvmap(Available_SubTechnique,"\"Available\": ".Available_SubTechnique),NeedsData_SubTechniqueJson=mvmap('Needs Data_SubTechnique',"\"Needs Data\": ".'Needs Data_SubTechnique'),Total_SubTechniqueJson=mvmap('Total_SubTechnique',"\"Total\": ".'Total_SubTechnique'),Color_SubTechniqueJson=mvmap('Color_SubTechnique',"\"Color\": \"".'Color_SubTechnique'."\""),Opacity_SubTechniqueJson=mvmap('Opacity_SubTechnique',"\"Opacity\": ".'Opacity_SubTechnique') 
    | eval SubTechniqueValuesMerge=mvzip(Active_SubTechniqueJson,mvzip(Available_SubTechniqueJson,mvzip(NeedsData_SubTechniqueJson,mvzip(Color_SubTechniqueJson,mvzip(Opacity_SubTechniqueJson,Total_SubTechniqueJson))))) 
    | eval Sub_Technique=coalesce(",\"Sub_Techniques\": {".mvjoin(mvzip(mvmap('Sub-Technique',"\"".'Sub-Technique'."\""),mvmap(SubTechniqueValuesMerge, "{".SubTechniqueValuesMerge."}"),": "),",")."}","") 
    | fields - *_SubTechniqueJson  Active_SubTechnique Available_SubTechnique "Needs Data_SubTechnique" "Sub-Technique" IsSubTechnique SubTechniqueValuesMerge *_SubTechnique 
    
    | eval "<<FIELD>>_TechniqueId"=mvdedup('<<FIELD>>_TechniqueId') 
    | eval "<<FIELD>>" = if(text!="",mvappend("TechniqueId: ".'<<FIELD>>_TechniqueId',"Technique: ".Technique,"Color: ".color,"Opacity: ".opacity,"Active: ".p0_count,"Available: ".p1_count,"Needs data: ".p2_count,"Total: ".total_count,"Selected: ".p3_count,"Groups: ".'<<FIELD>>_Groups'),null) 
    | eval "<<FIELD>>"="{".mvjoin(mvmap('<<FIELD>>',"\"".mvindex(split('<<FIELD>>',": "),0)."\": \"".mvindex(split('<<FIELD>>',": "),1)."\""),",").Sub_Technique."}"
    | eval count = count + 1 
        ]
        | fields - temp count Active Available "Needs data" tooltip *Tactic color colorby opacity p0* p1* p2* t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 text total_count "Data Source" Data_Source_Count Selected p3_count Matrix *_TechniqueId *_Groups Technique "Sub-Technique" Sub_Technique

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2020 08:58 PM

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2020 08:58 PM

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

Reply
Solved! Jump to solution

unknown_platfor
Engager
‎11-10-2020 05:24 AM

@bowesmana   I didn't realize that.  Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...