All Apps and Add-ons

Splunk Security Essentials: 'mvmap' function is unsupported or undefined

unknown_platfor
Engager

Splunk Cloud: v7.2.9

SSE: v3.2.0

In SSE, under Analytics Advisor > MITRE ATT&CK Framework > Available Content > MITRE Att&CK Matrix I am getting the error:

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.
 error.png

 

SPL for search

 

 

| mitremap popular_only="$show_popular_techniques$" content_available=$show_content_available$ groups="$threat_group$" platforms="$mitre_platforms$"
| foreach *
    [ | rex field="<<FIELD>>" "(?<technique_temp>.*) \("
    | eval Technique_nogroups=coalesce(technique_temp,'<<FIELD>>')
    | eval "<<FIELD>> Tactic" = "<<FIELD>>"
    | eval Matrix="Enterprise ATT&CK"
    | eval "Sub-Technique"="-"
    | lookup mitre_environment_count.csv Matrix "Sub-Technique" Technique AS Technique_nogroups, "Tactic" AS "<<FIELD>> Tactic" OUTPUT "Active" "Available" "Needs data" "Data Source"
    | eval "Data Source"=split('Data Source',",")
    | eval "Data Source"=mvfilter($data_sources_selected_filter$)
    | rex field="Data Source" "(?<Data_Source>[^:]*)::(?<Data_Source_Count>.*)"
    | rename Data_Source AS "Data Source"
    | eval Selected=if(in('Data Source',$datasource_selection$) , Data_Source_Count,0)
    | eval Selected=tonumber(coalesce(mvindex(Selected,0,0),0))+tonumber(coalesce(mvindex(Selected,1,1),0))+tonumber(coalesce(mvindex(Selected,2,2),0))+tonumber(coalesce(mvindex(Selected,3,3),0))+tonumber(coalesce(mvindex(Selected,4,4),0))+tonumber(coalesce(mvindex(Selected,5,5),0))+tonumber(coalesce(mvindex(Selected,6,6),0))
    | fields - Technique_nogroups technique_temp "Sub-Technique"
    | eval count = coalesce(count, 1), temp = "t" + count, {temp}='<<FIELD>>', color="#00A9F8", colorby="$colorby$"

    | eval text='<<FIELD>>'
    | eval p0_count=coalesce(Active,0)
    | eval p1_count=coalesce(Available,0)
    | eval p2_count=coalesce('Needs data',0)
    | eval p3_count=coalesce('Selected',0)
    | eval total_count=p0_count+p1_count+p2_count
    | eval opacity=tostring(case(
        colorby="Active",p0_count/20,
        colorby="Available",p1_count/20,
        colorby="Needs data",p2_count/20,
        colorby="Total",total_count/20
        ))
    | eval tooltip="Active: ".p0_count."<br />"."Available: ".p1_count."<br />"."Needs data: ".p2_count."<br />"."Total: ".total_count."<br />"."Selected: ".p3_count
    | eval "<<FIELD>>_Groups"=rtrim(mvindex(split('text', " ("),1),")")
    | eval "Technique"=mvindex(split('text', " ("),0)
    | lookup mitre_matrix_list.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique OUTPUT TechniqueId AS "<<FIELD>>"_TechniqueId 
    | eval IsSubTechnique="Yes"
    | lookup mitre_environment_count.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique IsSubTechnique OUTPUT "Sub-Technique" Active AS Active_SubTechnique Available AS Available_SubTechnique "Needs data" AS "Needs Data_SubTechnique" Sub_Technique_Total AS Total_SubTechnique
    | eval Opacity_SubTechnique=case(
    colorby="Active", mvmap(Active_SubTechnique,Active_SubTechnique/10),
    colorby="Available", mvmap(Available_SubTechnique,Available_SubTechnique/10),
    colorby="Needs data", mvmap('Needs Data_SubTechnique','Needs Data_SubTechnique'/10),
    colorby="Total", mvmap(Total_SubTechnique,Total_SubTechnique/10)
    )
    | eval Color_SubTechnique=mvmap(Active_SubTechnique,'color')
    | eval Active_SubTechniqueJson=mvmap(Active_SubTechnique,"\"Active\": ".Active_SubTechnique),Available_SubTechniqueJson=mvmap(Available_SubTechnique,"\"Available\": ".Available_SubTechnique),NeedsData_SubTechniqueJson=mvmap('Needs Data_SubTechnique',"\"Needs Data\": ".'Needs Data_SubTechnique'),Total_SubTechniqueJson=mvmap('Total_SubTechnique',"\"Total\": ".'Total_SubTechnique'),Color_SubTechniqueJson=mvmap('Color_SubTechnique',"\"Color\": \"".'Color_SubTechnique'."\""),Opacity_SubTechniqueJson=mvmap('Opacity_SubTechnique',"\"Opacity\": ".'Opacity_SubTechnique') 
    | eval SubTechniqueValuesMerge=mvzip(Active_SubTechniqueJson,mvzip(Available_SubTechniqueJson,mvzip(NeedsData_SubTechniqueJson,mvzip(Color_SubTechniqueJson,mvzip(Opacity_SubTechniqueJson,Total_SubTechniqueJson))))) 
    | eval Sub_Technique=coalesce(",\"Sub_Techniques\": {".mvjoin(mvzip(mvmap('Sub-Technique',"\"".'Sub-Technique'."\""),mvmap(SubTechniqueValuesMerge, "{".SubTechniqueValuesMerge."}"),": "),",")."}","") 
    | fields - *_SubTechniqueJson  Active_SubTechnique Available_SubTechnique "Needs Data_SubTechnique" "Sub-Technique" IsSubTechnique SubTechniqueValuesMerge *_SubTechnique 
    
    | eval "<<FIELD>>_TechniqueId"=mvdedup('<<FIELD>>_TechniqueId') 
    | eval "<<FIELD>>" = if(text!="",mvappend("TechniqueId: ".'<<FIELD>>_TechniqueId',"Technique: ".Technique,"Color: ".color,"Opacity: ".opacity,"Active: ".p0_count,"Available: ".p1_count,"Needs data: ".p2_count,"Total: ".total_count,"Selected: ".p3_count,"Groups: ".'<<FIELD>>_Groups'),null) 
    | eval "<<FIELD>>"="{".mvjoin(mvmap('<<FIELD>>',"\"".mvindex(split('<<FIELD>>',": "),0)."\": \"".mvindex(split('<<FIELD>>',": "),1)."\""),",").Sub_Technique."}"
    | eval count = count + 1 
        ]
        | fields - temp count Active Available "Needs data" tooltip *Tactic color colorby opacity p0* p1* p2* t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 text total_count "Data Source" Data_Source_Count Selected p3_count Matrix *_TechniqueId *_Groups Technique "Sub-Technique" Sub_Technique

 

 

Labels (1)
Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

unknown_platfor
Engager

@bowesmana   I didn't realize that.  Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...