File created whitelist editor interface not working

[sebastiendamaye]

The "File created whitelist editor" view (file_create_whitelist.xml) doesn't work. Clicking on the "Submit" button doesn't add the entry, and the csv file threathunting_file_create_whitelist.csv should be manually edited.

[sebastiendamaye]

Patch to apply to default/data/ui/views/file_create_whitelist.xml to fix the issue:

@@ -48,6 +48,7 @@
         <title>Today's Entries</title>
         <search>
           <query>| makeresults 
+| eval input_host_fqdn = COALESCE(if(trim("$host_fqdn$")="", "*", trim("$host_fqdn$")), "*") 
 | eval input_mitre_technique_id = COALESCE(if(trim("$mitre_technique_id$")="", "*", trim("$mitre_technique_id$")), "*") 
 | eval input_process_path = COALESCE(if(trim("$process_path$")="", "*", trim("$process_path$")), "*") 
 | eval input_file_name = COALESCE(if(trim("$file_name$")="", "*", trim("$file_name$")), "*") 

[Suirand1]

@sebastiendamaye your patch does not work for me.
Adding | eval input_host_fqdn = COALESCE(if(trim("$host_fqdn$")="", "*", trim("$host_fqdn$")), "*") did not fix issue for newest version of threathunting app.
Pressing submit button deletes first line of my lookup CSV file

[sebastiendamaye]

@Suirand1 I applied the patch on the latest release (1.4.92) and it's working fine. Just make sure you restart Splunk once you have applied the patch.

[sebastiendamaye]

@olafhartong I take this opportunity to confirm that the latest release (1.4.92) is still suffering from this bug :)