topic How to exclude sub folders in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-exclude-sub-folders/m-p/350577#M103780 <P>Hi All</P> <P>I would like to monitor "4670: Permissions on an object were changed". </P> <P>I have the following query:</P> <P>index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "<EM>.</EM>"<BR /> | search [inputlookup xxxxxx.csv]<BR /> | Table _time EventCode Account_Name "Object_Type" "Object_Name"<BR /> | rename EventCode AS "Event", "Account_Name" AS "User", "Object_Type" AS "Object", "Object_Name" AS "Folder"</P> <P>In the results I get the root folder and all it subfolders. </P> <P>How can I exclude the subfolders from the results so I just get the root folder?</P> <P>Regards</P> Tue, 29 Sep 2020 13:50:36 GMT socdtv 2020-09-29T13:50:36Z How to exclude sub folders https://community.splunk.com/t5/Splunk-Search/How-to-exclude-sub-folders/m-p/350577#M103780 <P>Hi All</P> <P>I would like to monitor "4670: Permissions on an object were changed". </P> <P>I have the following query:</P> <P>index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "<EM>.</EM>"<BR /> | search [inputlookup xxxxxx.csv]<BR /> | Table _time EventCode Account_Name "Object_Type" "Object_Name"<BR /> | rename EventCode AS "Event", "Account_Name" AS "User", "Object_Type" AS "Object", "Object_Name" AS "Folder"</P> <P>In the results I get the root folder and all it subfolders. </P> <P>How can I exclude the subfolders from the results so I just get the root folder?</P> <P>Regards</P> Tue, 29 Sep 2020 13:50:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-sub-folders/m-p/350577#M103780 socdtv 2020-09-29T13:50:36Z Re: How to exclude sub folders https://community.splunk.com/t5/Splunk-Search/How-to-exclude-sub-folders/m-p/350578#M103781 <P>Hello soctv,<BR /> the field "Object_Name" contains the path with all folders, here i used eval split and mvindex to extract it. there are other ways like | rex command for example.<BR /> here is my search based on your search and a screenshot:</P> <PRE><CODE>index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "." | head | eval dirs=split(Object_Name ,"\\") | eval root_dir= mvindex(dirs, 1) | table _time EventCode Account_Name "Object_Type" "root_dir" </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2836i2A1767694B264F9F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>hope it helps</P> Wed, 26 Apr 2017 20:16:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-sub-folders/m-p/350578#M103781 adonio 2017-04-26T20:16:34Z