Merge pull request #46 from arblade/main

thomaspatzke · web-flow · commit 2685a3ea67e3 · 2024-12-03T08:45:28.000+01:00
Fixing field null expression
diff --git a/sigma/backends/splunk/splunk.py b/sigma/backends/splunk/splunk.py
@@ -135,7 +135,7 @@ class SplunkBackend(TextQueryBackend):
         SigmaCompareExpression.CompareOperators.GTE: ">=",
     }
 
-    field_null_expression: ClassVar[str] = "{field}!=*"
+    field_null_expression: ClassVar[str] = "NOT {field}=*"
 
     convert_or_as_in: ClassVar[bool] = True
     convert_and_as_in: ClassVar[bool] = False

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ class SplunkBackend(TextQueryBackend):`
`135`	`135`	`SigmaCompareExpression.CompareOperators.GTE: ">=",`
`136`	`136`	`}`
`137`	`137`
`138`		`- field_null_expression: ClassVar[str] = "{field}!=*"`
	`138`	`+ field_null_expression: ClassVar[str] = "NOT {field}=*"`
`139`	`139`
`140`	`140`	`convert_or_as_in: ClassVar[bool] = True`
`141`	`141`	`convert_and_as_in: ClassVar[bool] = False`