how to create Splunk misp different events on one search result #8161

[burakatabay]

Hi
I want to create new misp event from splunk.
but I am not able to generate different misp events within a single search.
I try this search,

| makeresults
| eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="adenemee" . random()%255 . random()%255
| eval id = random()%255 . random()%255
| makemv delim="," misp_ip-dst
| mvexpand misp_ip-dst
| append
[| makeresults
| eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="bdenemee" . random()%255 . random()%255
| makemv delim="," misp_ip-dst
| eval id=random()%255 . random()%255
| mvexpand misp_ip-dst
]
| sendalert misp_alert_create_event param.misp_instance=misp param.title="title" param.description="description" param.distribution=0 param.threatlevel=1 param.analysis=0 param.tlp=TLP_AMBER param.pap=PAP_AMBER param.publish_on_creation=0 param.info=$result.source$ param.unique=$result.id$

Although there are two different unique ids here, 2 different events do not occur.
Can anyone support me ?

[remg427]

Hi Thank you for using misp42 In param simply mention which field contains the unique value param.unique=myuniquefield The script will process it to create 2 events When using Splunk token notation $result.id$ it Splunk handling replacement before calling script with the value of id in the first row so script receives a static value and therefore creates a single event Cheers Rémi Le 23 février 2022 14:14:13 GMT+01:00, burakatabay ***@***.***> a écrit :

…

Hi I want to create new misp event from splunk. but I am not able to generate different misp events within a single search. I try this search, | makeresults | eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="adenemee" . random()%255 . random()%255 | eval id = random()%255 . random()%255 | makemv delim="," misp_ip-dst | mvexpand misp_ip-dst | append [| makeresults | eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="bdenemee" . random()%255 . random()%255 | makemv delim="," misp_ip-dst | eval id=random()%255 . random()%255 | mvexpand misp_ip-dst ] | sendalert misp_alert_create_event param.misp_instance=misp param.title="title" param.description="description" param.distribution=0 param.threatlevel=1 param.analysis=0 param.tlp=TLP_AMBER param.pap=PAP_AMBER param.publish_on_creation=0 param.info=$result.source$ param.unique=$result.id$ Although there are two different unique ids here, 2 different events do not occur. Can anyone support me ? -- Reply to this email directly or view it on GitHub: #212 You are receiving this because you are subscribed to this thread. Message ID: ***@***.***>

-- Sent with K-9 Mail.

[burakatabay]

Thank you so much for helping :) that's true.