FillNull Not Working for all aspects of the search

agrant21 · ‎03-22-2024

I am having trouble with my search. I am finding groups and my groups are broken down into organization, unit, and subunit. The tokens are being passed in for each respective part of the group.

example:

Group1: apple.banana.orange

Group2: apple. banana.grape

Group3: melon.berry

index | search organization = $org$ | search unit = $unit$ | search subunit = $subunit$ | eval group = organization."."unit."."subunit

This would output apple.bananan.orange and apple.banana.grape, but would not show anything for melon.berry

Sometimes I have groups that do not have subunits. When I tried to add the fillnulll:

index | search organization = $org$ | search unit = $unit$ | fillnull value="" $subunit$ | eval group =if(isnotnull($subunit$), organization."."unit."."subunit, "organization.".".unit)

That worked for groups with no subunit, but then the groups that did have subunits it did not work. This would output melon.berry, but it would output all the events for apple.banana. It wouldn't do the search specifically for orange or grape.

I am trying to have my search handle when a subunit token is passed and it is blank, what to do with it to output the correct values.

marnall · ‎03-22-2024

One thing you could do is put the search filter into the token, so that if the $subunit_search$ token is empty, it won't interfere with the search:

index=<index> organization="$org$" unit="$unit$" $subunit_search$

Set your inputs so that it sets $subunit_search$ to equal "subunit=<subunit_name>" or default to "" (empty string)

FillNull Not Working for all aspects of the search

drilldown

other

token

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...