Error in 'misprest' command: This command must be the first command of a search.

Question

Error in 'misprest' command: This command must be the first command of a search.

Opened this issue a year ago · 1 comments

Related to #249 , I tried creating the attributes directly using this:

| mispsight misp_instance=MISP_Feed field=src_ip   
| search NOT misp_value=*
| makejson first_seen,type,category,value,to_ids output=json_request

| misprest misp_instance=MISP_Feed method="POST" target="/attributes/add/999999"

But this seems to be incompatible because it is not the first command. Is this the anticipated behavior?

10-31-2023 15:53:16.143 INFO  script [1199491 searchOrchestrator] - stderr for script misprest will be added to search.log
10-31-2023 15:53:16.143 INFO  ServerConfig [1199491 searchOrchestrator] - Will add app jailing prefix /opt/splunk/bin/nsjail-wrapper for misp42splunk
10-31-2023 15:53:16.412 ERROR SearchPipeline [1199491 searchOrchestrator] - Error in 'misprest' command: This command must be the first command of a search.
10-31-2023 15:53:16.412 ERROR SearchPhaseGenerator [1199491 searchOrchestrator] - Validation of optimized search failed
10-31-2023 15:53:16.412 WARN  SearchPhaseGenerator [1199491 searchOrchestrator] - AST processing error, exception=31SearchProcessorMessageException, error=Error in 'misprest' command: This command must be the first command of a search.. Fall back to 2 phase.

Answer 1 · 2023-10-31T18:19:36.000Z

Hi Thank you for using MISP42 Yes this is expected: misprest is a generating command You may achieve preparation of json_request using a subsearch or command map. Cheers Remi