I checked for the same today The real implementation would be an add-on using python lib to do this nicely. I try to do something in SPL, but a better padding would be needed 😜   ``` code to add after your search ``` | foreach * [ eval mytitles_r_here=mvappend(mytitles_r_here,"<<FIELD>>"), myrows_r_here=mvappend(myrows_r_here,'<<FIELD>>') ] ``` building lines with delimiters ``` | eval mytitles_r_here="| ".mvjoin(mytitles_r_here," | ")." |" | eval myrows_r_here="| ".mvjoin(myrows_r_here," | ")." |" | eval thisispadding=myrows_r_here | rex mode=sed field=thisispadding "s/[^|]/-/g" | eval myrows_r_here = mvappend(thisispadding,myrows_r_here) ``` merging the rows``` | stats first(mytitles_r_here) AS mytitles_r_here list(myrows_r_here) AS myrows_r_here first(thisispadding) AS thisispadding | eval myrows_r_here = mvappend(myrows_r_here,thisispadding) ``` merging with title``` | eval thisispadding=mytitles_r_here | rex mode=sed field=thisispadding "s/[^|]/-/g" | eval this_is_the_result=mvappend(thisispadding,mytitles_r_here,myrows_r_here) | table this_is_the_result   ... View more

The bug is still there. As the code was a bit reworked now the solution is to : Edit /opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py and add at line 497 handler._timeout = handler_args.get('timeout') ... View more

Hello Karthick, I don't personally use the ta-thehive-ce only the create_thehive_alert from my github link, still in prod. Main page is providing all the details to do the setup. It should allow you to make it work Regards ... View more

Hello, Yes same remark about the splunk 8+ only I just tried it on a splunk heavy forwarder running version 7.3.6 and I am getting the following error       2020-07-14 16:17:48,687 ERROR pid=22745 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/ta_crowdstrike_falcon_event_streams/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/crowdstrike_event_streams.py", line 72, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 321, in collect_events crowdstrike_client() File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 189, in crowdstrike_client token_result, token_message, token_url= Stream().get_token(clientid, secret, api_endpoint, proxy) TypeError: 'NoneType' object is not iterable       Edit: I have the same failure with splunk 8.0.4.1and the default setting of python in the server.conf python.version = python2 🤔 Edit2: Still the same error with python.version = python3 😓 Edit3: Ok I have regenerated my api credential and it was the reason of the error ( really bad catch ) Now it is spamming an offset errors but maybe it is normal     2020-07-15 07:46:14,342 INFO pid=15876 tid=Thread-1 file=base_modinput.py:log_info:295 | Event Written 2020-07-15 07:46:14,342 ERROR pid=15876 tid=Thread-1 file=Stream_Attributes.py:record_offsets:116 | Failed to record offsets to offsets file. 2020-07-15 07:46:14,376 INFO pid=15876 tid=Thread-1 file=base_modinput.py:log_info:295 | Offset recording to KV store: XXXX_Detections_feed_num_0 {u'https://firehose.crowdstrike.com/sensors/entities/datafeed/v1/0?appId=splunk_qualif': XXXXX}   Edit4: For the error in edit3, it is the creation of an empty dir in TA-crowdstrike-falcon-event-streams/bin/offsets that is missing, so python is failing to manage files here. Note that is app is deployed, it is important to add it to the exclusion to not loose its contain   ... View more

I post my crap and dirty solution in case... Edit /opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py look for the part : handler = handler_cls(self._logger, self._input_config.session_key, **handler_args) temp_checkpoint_filehandle = None and add just after it handler._timeout = handler_args.get('timeout') ... View more

Nice, thank you guys for the prompt update. Ahah yes, I just discovered today that possibility to move from our current schema in version 2 to 3, and 4 by speaking with the responsible of the cisco umbrella in my company. >_< Now, if you have more work to do on this TA, I would suggest that regarding the tags added to the logs, you should try to match more of the : https://docs.splunk.com/Documentation/CIM/4.12.0/User/NetworkResolutionDNS As CIM compliancy is about 9% actually if you evaluate it with : https://github.com/hire-vladimir/SA-cim_vladiator and https://splunkbase.splunk.com/app/1621/ Most of the time improvement can be done by just filling some of those fields with static info like [opendns:dnslogs] EVAL-dest_port = "53" EVAL-message_type = "Response" EVAL-transport = "udp" EVAL-vendor_product = "Cisco Umbrella" Note that the dest field missing in the raw log is also a big issue when doing searches So as a personal choice, that can't be part for sure of the published TA, I use : EVAL-dest = "208.67.222.222" To set and easy to recognize opendns ip This allow me to not loose cisco umbrella results from the datamodel queries when dest is used in the by condition Thank you again, happy to have improved things ... View more

You are welcome An additional question, by chance do you know why the final dot at the end of the query field is kept ? I know it is from the raw log but now I am removing with a sed at index time, it because it pollute the threatlist matching after. Thank you ... View more

Hello, First sorry as my message is not a direct answer to the topic We use a lot splunk with TheHive in my company, for that I have spent many hours to "improve" this "for our usage". And I think everyone can pick some info from that work, it is published here : https://github.com/swiip81/create_thehive_alert One of the main fix I have tried to implement is to allow a 'transparent' conversion from splunk fields ( key=value ) to TheHive observables ( type=value*s* ) which is in my opinion the crucial thing to master. Hope it will be useful ... View more

Bug still here in 1.0.4 and breaking the ES datamodel used by Intrusion Center dashboards My workaround on the searchHeads is to replace the macro directly by the index name of crowdstrike. cd etc/apps/TA-crowdstrike ; mkdir -p local sed 's/`cs_get_index`/index=crowdstrike/' default/eventtypes.conf > local/eventtypes.conf ... View more

also in 7.0.X the part that is working in 7.1.X... | eval IDS=replace(IDS,"^|\s|$",",") have to be | eval IDS=replace(IDS,"\s",",") | eval IDS=",".IDS."," ... View more

Same answer but a bit more robust with negative numbers and numbers (>10) | makeresults | fields - _time | eval IDS="-4,3,4,6,7,13" | makemv IDS delim="," | mvexpand IDS | stats max(IDS) as maxID min(IDS) as minID values(IDS) as IDS | eval allIDs=mvrange(minID,maxID+1) | fields - minID maxID | nomv IDS | eval IDS=replace(IDS,"^|\s|$",",") | mvexpand allIDs | eval is_found=if(match(IDS,",".allIDs.","),1,0) | search is_found=0 | table allIDs ... View more

Hello, Not the answer you are looking for, but the workaround I use to avoid that “No results found” horrible display that kill dashboards formatting, is to append an empty row at search level to get always something displayed... example (the first line is supposed to give no results here) : index=notanindex | table host | appendpipe [ stats count | eval host="" | fields - count ] Still interested by a smarter solution 🙂 Best regards. ... View more

Hi, thank you for all your answers. To give more context about that : The rex pattern was not written by me that is why I did not commented the way it was done. The author committed it in January, the dashboard was review and approved, then I did splunk upgrade last week, and today I was warned by the owner that he had error everywhere when he tried to present its dashboard to someone else. Oupps, I though first about permissions issue, until I did what I explained in the first post. Ok I was lazy enough to build a 6.6.4 and put the dashboard, the datamodel and some ldap data, I tried looking at the doc first 🙂 Now I just did that test and yes confirm that rex changed between 6.5.x and 7.0.x as you explained I still think it would be good to know if some other changes were included, so I will follow asiddique_splunk commendation, and report here there is something interesting to share. ... View more

TIME_FORMAT=%Y%B%d*%I:%M:%S TIME_PREFIX=.*licensekey\.cpp\*\d+\*\d+\* MAX_TIMESTAMP_LOOKAHEAD=128 works on this sample ... View more

Hello, I know this is an old question, but it was ranked on search engines. Here is my solution. When you do that change manually as a user, in the report tab of search for example, then splunk modify users/YOURUSERNAME/search/local/ui-prefs.conf by adding : [reports] display.prefs.aclFilter = app Have a look to the upper global default file : etc/system/default/ui-prefs.conf and its documentation here : https://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Ui-prefsconf display.prefs.aclFilter = [none|owner|app] none = All / owner = Yours / app = This App's Now if your goal is it set that setting as default, globally and for everyone, you can do : create a file etc/system/local/ui-prefs.conf and put : display.prefs.aclFilter = app Then reload the splunk or refresh it with https://YOURSERVER/en-GB/debug/refresh Its seems to work as intended. Regards Flo ... View more