Solved: Re: How to achieve the result of the Datset - Minu...

archestain · ‎05-02-2021

Query A/Dataset A

sourcetype=aws_cloudtrail eventtime > "2021-01-01T00:00:00Z" AND eventtime < "2021-01-31T23:59:59Z" | stats values(eventnames) by accesskeyid

output:

accesskeyid. values(eventnames)

ABCD. ListTopic CreateTopic

EFGH. CreateStream

Query B/Dataset B

sourcetype=aws_cloudtrail eventtime > "2021-04-01T00:00:00Z" AND eventtime < "2021-04-28T23:59:59Z" | stats values(eventnames) by accesskeyid

output:

accesskeyid. values(eventnames)

ABCD ListTopic ListBuckets Createtopic

EFGH. CreateStream DeleteStream

DEF. ListTickets

Ask:

Please provide a query where i need the output like below where only the unique values of eventnames from datasetB group by acesskeyid should be listed out when i run both the queries at the same search

output:

accesskeyid. values(eventnames)

ABCD ListBuckets

EFGH. DeleteStream

DEF. ListTickets

Thanks inn advance

ITWhisperer · ‎05-02-2021

sourcetype=aws_cloudtrail (eventtime > "2021-01-01T00:00:00Z" AND eventtime < "2021-01-31T23:59:59Z") OR (eventtime > "2021-04-01T00:00:00Z" AND eventtime < "2021-04-28T23:59:59Z")
| eval eventnamesA=if(eventtime > "2021-01-01T00:00:00Z" AND eventtime < "2021-01-31T23:59:59Z",eventnames,null)
| eventstats values(eventnamesA) as eventnamesA by accesskeyid
| eval eventnames=if(isnull(mvfind(eventnamesA,eventnames)),eventnames,null)
| stats values(eventnames) by accesskeyid

View solution in original post

archestain · ‎05-03-2021

My bad, i mentioned the timelines wrong its the following eventtime > "2021-01-01T00:00:00Z" AND eventtime < "2021-03-31T23:59:59Z"

Ran the query but it does not fetch the expected result 😞

ITWhisperer · ‎05-03-2021

I assume eventnames is already extracted as a field? Can you share some anonymised events?

archestain · ‎05-04-2021

The field is not eventnames but eventname, my bad i executed with eventnames

Thanks ITWhisperer for your help

ITWhisperer · ‎05-02-2021

sourcetype=aws_cloudtrail (eventtime > "2021-01-01T00:00:00Z" AND eventtime < "2021-01-31T23:59:59Z") OR (eventtime > "2021-04-01T00:00:00Z" AND eventtime < "2021-04-28T23:59:59Z")
| eval eventnamesA=if(eventtime > "2021-01-01T00:00:00Z" AND eventtime < "2021-01-31T23:59:59Z",eventnames,null)
| eventstats values(eventnamesA) as eventnamesA by accesskeyid
| eval eventnames=if(isnull(mvfind(eventnamesA,eventnames)),eventnames,null)
| stats values(eventnames) by accesskeyid

How to achieve the result of the Datset - Minus query like

search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How to achieve the result of the Datset - Minus query like

search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey