Context: Custom app development and iteration. I have created an app with the App Wizard and I am editing it locally. When it comes time to tarball it and upload it; the validation fails on "main_module" even though the JSON file was generated by SOAR.  Hi there, I am not necessarily new to app development in SOAR. I have created a connector before and I am iterating and creating V2. Unfortunately, this time around I cannot understand the issue I am receiving when I try to install my updated app.  My general development cycle looks like this:  init: Create the App via the Wizard.  1. Download the App and make changes; fill it out and now tarball it. 2. Upload the app and test; tweak via the web gui if needed; otherwise delete the app, update local code, re-tarball it and upload again... repeat.  (Please don't suggest the VSCode integration; I have used it in the past and am aware it exists)   Now to the problem I have coded my changes and am ready to upload the first iteration. I delete the app (the skeleton code from the App Wizard creation) and then install it. I get this error: [img text: 'teamdynamix.json' failed validation on value 'main_module'] (Within the JSON we have this line:  "main_module": "teamdynamix_connector.py", ) My File in the subfolder "phTeamDynamix": teamdynamix_connector.py. So... I downloaded the version 1 I know works. I added a single line to the Consts file that's included. I tarball and upload, and I get the error above. I'm curious why this is producing issues.  The only file changed is a file SOAR doesn't have a problem with; but the file that SOAR has a problem with was auto-generated.    My guess is this is related to the file structure or pre-pending of "ph" to the file structure when downloading the project or something like that.  Anyone encounter issues like this before? Any recommendations on how to structure my tarball before uploading? Should I rename the dir to remove the pre-pended "ph" to the structure? At a loss... Thanks! ... View more

Hey there, Let me start off by saying I can delete labels if there are no assets using them. The issue originates when an asset is "using" these labels but I cannot tell how.   For some reason we have "event" and "events" where I would like to delete the unused "event" label. But there's an asset using it. Looking under all configured assets I cannot find where the label "event" is used.   How can I accomplish my goal of finding the asset that is listed, when it's only a simple description: 1 Asset (asset name)   When looking at all my assets, only one matches. But inside this asset for the app Rest API, I can't find any mention or designation for labels whatsoever. The asset   ... View more

Hey all - thanks in advance! I have _raw log data that contains a header section and then what appears to be two entries within itself. I want to split these entries (they are formatted the same, except the latter appends a '1' onto each fieldname) and then create two events from this one event, like so: Before _raw = HEADER|PART1|PART2 After event1 = HEADER|PART1 event2 = HEADER|PART2   An event will come from the same IP and device name; the parts are paths and simple fields. Here is a sample log (bracketed to show how I want it split, but these brackets are not in the raw data): [Jun 12 23:00:09 server.i.j WRD: 0|AName|Named Application Server|1|0|Rule|0|ClientTime=7:02:28-PM CompName=sparse.info.given.here IPv4=x.x.x.x] [Path=No-Results-Found MD5= Size= Modified= RuleID= ValidHits= InvalidHits= NoValidationHits=] [Path1=No-Results-Found MD51= Size1= Modified1= RuleID1= ValidHits1= InvalidHits1= NoValidationHits1= Count=1] I would like the final results to be: Jun 12 23:00:09 server.i.j WRD: 0|AName|Named Application Server|1|0|Rule|0|ClientTime=7:02:28-PM CompName=sparse.info.given.here IPv4=x.x.x.x Path=No-Results-Found MD5= Size= Modified= RuleID= ValidHits= InvalidHits= NoValidationHits= Jun 12 23:00:09 server.i.j WRD: 0|AName|Named Application Server|1|0|Rule|0|ClientTime=7:02:28-PM CompName=sparse.info.given.here IPv4=x.x.x.x Path1=No-Results-Found MD51= Size1= Modified1= RuleID1= ValidHits1= InvalidHits1= NoValidationHits1= Count=1 Count is not really a big deal here, it can be on either log (the latter by default as it is the final field in the log) I have the regex to perform the part-splitting if rex is the move here: | rex field=_raw "(?<header>.*IPv4Address=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) (?<part1>Path.*) (?<part2>Path.*)" Once recombined, I will still perform manipulation on the resulting logs, and I do not need to write to file or CSV. The issue this is causing relates to finding accurate hits on files (the ValidHits1 field is annoying; same with Path1). I can happily rename fields after rejoining my Parts to the header so I can then correlate on top of all data with common field names. Please feel free to ask for more information to help me out with this, and I appreciate any help you can give for this project! ... View more