Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: How to implement multiple where conditions wit...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
02-27-2020
05:52 AM
Hello,
We'd like to monitor configuration changes on our Linux host. For that we want to detect when in the datamodel Auditd the field nameis equal to /etc/audit/*, /etc/audisp/*, or /etc/libaudit.conf. Here is our basic search:
| tstats `security_content_summariesonly` count from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name
| `drop_dm_object_name("Auditd")`
The question is how can we implement in the same search 3 conditions below:
| where like(name,"%/etc/audit/%")
| where like(name,"%/etc/audisp/%")
| where name="/etc/libaudit.conf"
Logicaly it could be done via case statement, but we wasn't able to implement it. Do you have any ideas?
Thanks for the help.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumanssah
Communicator
02-27-2020
08:05 AM
Try something like
| tstats `security_content_summariesonly` count from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name | `drop_dm_object_name("Auditd")`
| search name="*/etc/audit/*" OR name="*/etc/audisp/*" OR name="*/etc/libaudit.conf*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumanssah
Communicator
02-27-2020
08:05 AM
Try something like
| tstats `security_content_summariesonly` count from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name | `drop_dm_object_name("Auditd")`
| search name="*/etc/audit/*" OR name="*/etc/audisp/*" OR name="*/etc/libaudit.conf*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
02-28-2020
12:23 AM
Exactly!
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cotyp
Path Finder
02-27-2020
07:01 AM
how about a multiple if statement? if(like(name, "etc....%"), "etc",if(like(name, "%audisp%"), "audisp"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
02-27-2020
07:55 AM
Hi @cotyp,
With tstats you can use only from, where and by clause arguments. Personally I don't know how can I implement multiple if statements with these argements 😞
Get Updates on the Splunk Community!
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
