Re: Using the Demisto Add-on, why am I getting the...

swong2 · ‎09-19-2018

I tried to pass the result token $result._time$ to the "Occured Time" field, but got the following error: "Enter valid epoch time for duration" while saving. It seems to me that the input only accepts epoch value, but that shouldn't prevent me from passing a token from the search result.

kamlesh_vaghela · ‎09-19-2018

@swong2

Can you please try following approach?

1) Store _time in another field.eg YOUR_SEARCH | eval TIME=_time
2) Use TIME to pass _time's value eg. $result.TIME$

Thanks

swong2 · ‎09-19-2018

It didn't work.

swong2 · ‎09-19-2018

I believe the problem is in config file splunk/etc/apps/TA-Demisto/default/restmap.conf

Validation

[validation:savedsearch]
action.demisto.param.occured = validate( match('action.demisto.param.occured', "((^[0-9]*$)|(\$trigger_time\$?)$)"), "Enter valid epoch time for duration")

kamlesh_vaghela · ‎09-19-2018

Can you please share your sample search & XML code ?

Using the Demisto Add-on, why am I getting the following error when passing a token to the "Occured Time" field: "Enter valid epoch time for duration"

Validation

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?