Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to implement multiple where conditions with li...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
02-27-2020
05:52 AM
Hello,
We'd like to monitor configuration changes on our Linux host. For that we want to detect when in the datamodel Auditd the field nameis equal to /etc/audit/*, /etc/audisp/*, or /etc/libaudit.conf. Here is our basic search:
| tstats `security_content_summariesonly` count from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name
| `drop_dm_object_name("Auditd")`
The question is how can we implement in the same search 3 conditions below:
| where like(name,"%/etc/audit/%")
| where like(name,"%/etc/audisp/%")
| where name="/etc/libaudit.conf"
Logicaly it could be done via case statement, but we wasn't able to implement it. Do you have any ideas?
Thanks for the help.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumanssah
Communicator
02-27-2020
08:05 AM
Try something like
| tstats `security_content_summariesonly` count from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name | `drop_dm_object_name("Auditd")`
| search name="*/etc/audit/*" OR name="*/etc/audisp/*" OR name="*/etc/libaudit.conf*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumanssah
Communicator
02-27-2020
08:05 AM
Try something like
| tstats `security_content_summariesonly` count from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name | `drop_dm_object_name("Auditd")`
| search name="*/etc/audit/*" OR name="*/etc/audisp/*" OR name="*/etc/libaudit.conf*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
02-28-2020
12:23 AM
Exactly!
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cotyp
Path Finder
02-27-2020
07:01 AM
how about a multiple if statement? if(like(name, "etc....%"), "etc",if(like(name, "%audisp%"), "audisp"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
02-27-2020
07:55 AM
Hi @cotyp,
With tstats you can use only from, where and by clause arguments. Personally I don't know how can I implement multiple if statements with these argements 😞
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
