Solved: How to exclude sub folders

socdtv · ‎04-26-2017

Hi All

I would like to monitor "4670: Permissions on an object were changed".

I have the following query:

index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "."
| search [inputlookup xxxxxx.csv]
| Table _time EventCode Account_Name "Object_Type" "Object_Name"
| rename EventCode AS "Event", "Account_Name" AS "User", "Object_Type" AS "Object", "Object_Name" AS "Folder"

In the results I get the root folder and all it subfolders.

How can I exclude the subfolders from the results so I just get the root folder?

Regards

adonio · ‎04-26-2017

Hello soctv,
the field "Object_Name" contains the path with all folders, here i used eval split and mvindex to extract it. there are other ways like | rex command for example.
here is my search based on your search and a screenshot:

index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "." 
| head
| eval dirs=split(Object_Name ,"\\")
| eval root_dir= mvindex(dirs, 1)
| table _time EventCode Account_Name "Object_Type" "root_dir"

hope it helps

View solution in original post

adonio · ‎04-26-2017

Hello soctv,
the field "Object_Name" contains the path with all folders, here i used eval split and mvindex to extract it. there are other ways like | rex command for example.
here is my search based on your search and a screenshot:

index=wineventlog sourcetype="WinEventLog:Security" "EventCode=4670" "Object_Name"!= "." 
| head
| eval dirs=split(Object_Name ,"\\")
| eval root_dir= mvindex(dirs, 1)
| table _time EventCode Account_Name "Object_Type" "root_dir"

hope it helps

How to exclude sub folders

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases