Splunk Search
Highlighted

How to exclude sub folders

New Member

Hi All

I would like to monitor "4670: Permissions on an object were changed".

I have the following query:

index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "ObjectName"!= "."
| search [inputlookup xxxxxx.csv]
| Table _time EventCode Account
Name "ObjectType" "ObjectName"
| rename EventCode AS "Event", "AccountName" AS "User", "ObjectType" AS "Object", "Object_Name" AS "Folder"

In the results I get the root folder and all it subfolders.

How can I exclude the subfolders from the results so I just get the root folder?

Regards

Tags (2)
0 Karma
Highlighted

Re: How to exclude sub folders

SplunkTrust
SplunkTrust

Hello soctv,
the field "Object_Name" contains the path with all folders, here i used eval split and mvindex to extract it. there are other ways like | rex command for example.
here is my search based on your search and a screenshot:

index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "." 
| head
| eval dirs=split(Object_Name ,"\\")
| eval root_dir= mvindex(dirs, 1)
| table _time EventCode Account_Name "Object_Type" "root_dir"

alt text

hope it helps

View solution in original post