Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to implement multiple where conditions with like statement using tstats?

woodentree
Communicator
‎02-27-2020 05:52 AM

Hello,

We'd like to monitor configuration changes on our Linux host. For that we want to detect when in the datamodel Auditd the field nameis equal to /etc/audit/*, /etc/audisp/*, or /etc/libaudit.conf. Here is our basic search:

| tstats `security_content_summariesonly` count  from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name
| `drop_dm_object_name("Auditd")`

The question is how can we implement in the same search 3 conditions below:

| where like(name,"%/etc/audit/%")
| where like(name,"%/etc/audisp/%")
| where name="/etc/libaudit.conf"

Logicaly it could be done via case statement, but we wasn't able to implement it. Do you have any ideas?

Thanks for the help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sumanssah
Communicator
‎02-27-2020 08:05 AM

Try something like 

 | tstats `security_content_summariesonly` count  from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name     | `drop_dm_object_name("Auditd")`     

  | search name="*/etc/audit/*" OR name="*/etc/audisp/*" OR name="*/etc/libaudit.conf*"

View solution in original post

Reply
Solved! Jump to solution
Solution

sumanssah
Communicator
‎02-27-2020 08:05 AM

Try something like 

 | tstats `security_content_summariesonly` count  from datamodel=Auditd where nodename=Auditd.Path by _time span=1s host Auditd.name     | `drop_dm_object_name("Auditd")`     

  | search name="*/etc/audit/*" OR name="*/etc/audisp/*" OR name="*/etc/libaudit.conf*"
Reply
Solved! Jump to solution

woodentree
Communicator
‎02-28-2020 12:23 AM

Exactly!
Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

cotyp
Path Finder
‎02-27-2020 07:01 AM

how about a multiple if statement? if(like(name, "etc....%"), "etc",if(like(name, "%audisp%"), "audisp"))

0 Karma
Reply
Solved! Jump to solution

woodentree
Communicator
‎02-27-2020 07:55 AM

Hi @cotyp,
With tstats you can use only from, where and by clause arguments. Personally I don't know how can I implement multiple if statements with these argements 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...