All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Security Essentials: 'mvmap' function is unsupported or undefined

unknown_platfor
Engager
‎11-08-2020 07:40 PM

Splunk Cloud: v7.2.9

SSE: v3.2.0

In SSE, under Analytics Advisor > MITRE ATT&CK Framework > Available Content > MITRE Att&CK Matrix I am getting the error:

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.
 error.png

 

SPL for search

 

 

| mitremap popular_only="$show_popular_techniques$" content_available=$show_content_available$ groups="$threat_group$" platforms="$mitre_platforms$"
| foreach *
    [ | rex field="<<FIELD>>" "(?<technique_temp>.*) \("
    | eval Technique_nogroups=coalesce(technique_temp,'<<FIELD>>')
    | eval "<<FIELD>> Tactic" = "<<FIELD>>"
    | eval Matrix="Enterprise ATT&CK"
    | eval "Sub-Technique"="-"
    | lookup mitre_environment_count.csv Matrix "Sub-Technique" Technique AS Technique_nogroups, "Tactic" AS "<<FIELD>> Tactic" OUTPUT "Active" "Available" "Needs data" "Data Source"
    | eval "Data Source"=split('Data Source',",")
    | eval "Data Source"=mvfilter($data_sources_selected_filter$)
    | rex field="Data Source" "(?<Data_Source>[^:]*)::(?<Data_Source_Count>.*)"
    | rename Data_Source AS "Data Source"
    | eval Selected=if(in('Data Source',$datasource_selection$) , Data_Source_Count,0)
    | eval Selected=tonumber(coalesce(mvindex(Selected,0,0),0))+tonumber(coalesce(mvindex(Selected,1,1),0))+tonumber(coalesce(mvindex(Selected,2,2),0))+tonumber(coalesce(mvindex(Selected,3,3),0))+tonumber(coalesce(mvindex(Selected,4,4),0))+tonumber(coalesce(mvindex(Selected,5,5),0))+tonumber(coalesce(mvindex(Selected,6,6),0))
    | fields - Technique_nogroups technique_temp "Sub-Technique"
    | eval count = coalesce(count, 1), temp = "t" + count, {temp}='<<FIELD>>', color="#00A9F8", colorby="$colorby$"

    | eval text='<<FIELD>>'
    | eval p0_count=coalesce(Active,0)
    | eval p1_count=coalesce(Available,0)
    | eval p2_count=coalesce('Needs data',0)
    | eval p3_count=coalesce('Selected',0)
    | eval total_count=p0_count+p1_count+p2_count
    | eval opacity=tostring(case(
        colorby="Active",p0_count/20,
        colorby="Available",p1_count/20,
        colorby="Needs data",p2_count/20,
        colorby="Total",total_count/20
        ))
    | eval tooltip="Active: ".p0_count."<br />"."Available: ".p1_count."<br />"."Needs data: ".p2_count."<br />"."Total: ".total_count."<br />"."Selected: ".p3_count
    | eval "<<FIELD>>_Groups"=rtrim(mvindex(split('text', " ("),1),")")
    | eval "Technique"=mvindex(split('text', " ("),0)
    | lookup mitre_matrix_list.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique OUTPUT TechniqueId AS "<<FIELD>>"_TechniqueId 
    | eval IsSubTechnique="Yes"
    | lookup mitre_environment_count.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique IsSubTechnique OUTPUT "Sub-Technique" Active AS Active_SubTechnique Available AS Available_SubTechnique "Needs data" AS "Needs Data_SubTechnique" Sub_Technique_Total AS Total_SubTechnique
    | eval Opacity_SubTechnique=case(
    colorby="Active", mvmap(Active_SubTechnique,Active_SubTechnique/10),
    colorby="Available", mvmap(Available_SubTechnique,Available_SubTechnique/10),
    colorby="Needs data", mvmap('Needs Data_SubTechnique','Needs Data_SubTechnique'/10),
    colorby="Total", mvmap(Total_SubTechnique,Total_SubTechnique/10)
    )
    | eval Color_SubTechnique=mvmap(Active_SubTechnique,'color')
    | eval Active_SubTechniqueJson=mvmap(Active_SubTechnique,"\"Active\": ".Active_SubTechnique),Available_SubTechniqueJson=mvmap(Available_SubTechnique,"\"Available\": ".Available_SubTechnique),NeedsData_SubTechniqueJson=mvmap('Needs Data_SubTechnique',"\"Needs Data\": ".'Needs Data_SubTechnique'),Total_SubTechniqueJson=mvmap('Total_SubTechnique',"\"Total\": ".'Total_SubTechnique'),Color_SubTechniqueJson=mvmap('Color_SubTechnique',"\"Color\": \"".'Color_SubTechnique'."\""),Opacity_SubTechniqueJson=mvmap('Opacity_SubTechnique',"\"Opacity\": ".'Opacity_SubTechnique') 
    | eval SubTechniqueValuesMerge=mvzip(Active_SubTechniqueJson,mvzip(Available_SubTechniqueJson,mvzip(NeedsData_SubTechniqueJson,mvzip(Color_SubTechniqueJson,mvzip(Opacity_SubTechniqueJson,Total_SubTechniqueJson))))) 
    | eval Sub_Technique=coalesce(",\"Sub_Techniques\": {".mvjoin(mvzip(mvmap('Sub-Technique',"\"".'Sub-Technique'."\""),mvmap(SubTechniqueValuesMerge, "{".SubTechniqueValuesMerge."}"),": "),",")."}","") 
    | fields - *_SubTechniqueJson  Active_SubTechnique Available_SubTechnique "Needs Data_SubTechnique" "Sub-Technique" IsSubTechnique SubTechniqueValuesMerge *_SubTechnique 
    
    | eval "<<FIELD>>_TechniqueId"=mvdedup('<<FIELD>>_TechniqueId') 
    | eval "<<FIELD>>" = if(text!="",mvappend("TechniqueId: ".'<<FIELD>>_TechniqueId',"Technique: ".Technique,"Color: ".color,"Opacity: ".opacity,"Active: ".p0_count,"Available: ".p1_count,"Needs data: ".p2_count,"Total: ".total_count,"Selected: ".p3_count,"Groups: ".'<<FIELD>>_Groups'),null) 
    | eval "<<FIELD>>"="{".mvjoin(mvmap('<<FIELD>>',"\"".mvindex(split('<<FIELD>>',": "),0)."\": \"".mvindex(split('<<FIELD>>',": "),1)."\""),",").Sub_Technique."}"
    | eval count = count + 1 
        ]
        | fields - temp count Active Available "Needs data" tooltip *Tactic color colorby opacity p0* p1* p2* t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 text total_count "Data Source" Data_Source_Count Selected p3_count Matrix *_TechniqueId *_Groups Technique "Sub-Technique" Sub_Technique

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2020 08:58 PM

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2020 08:58 PM

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

Reply
Solved! Jump to solution

unknown_platfor
Engager
‎11-10-2020 05:24 AM

@bowesmana   I didn't realize that.  Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...