Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issues with Case statement

tgrogan_stack
Explorer
‎11-14-2017 02:21 PM

I have reviewed a number of already answered questions related to case statements but none that seem to address the issue I am having. I am trying to create a table to show AWS CloudTrail events associated with creating, deleting, modifying IAM groups in AWS.

I have no problem with basic details but I am attempting to use a case statement so I can display additional detail for events associated with attaching or detaching a policy to a group, namely the policy that is being attached or detached.

Here is my search string, and the results:

sourcetype="aws:cloudtrail" eventName= *Group* 
| eval Detail=case(eventName == DetachGroupPolicy, requestParameters.policyArn, eventName == AttachGroupPolicy, requestParameters.policyArn, 1=1, "N/A" ) 
| rename requestParameters.groupName as Group, userIdentity.userName as "Performed by" 
| table _time, eventName, Group, Detail, requestParameters.policyArn

RESULTS:
| _time | eventName | Group | Detail | requestParameters.policyArn |
|--------------------------------------------|-----------------------------|------------------|----------|-----------------------------------------------------------|
| 2017-11-14T13:01:30.000-0700 | DeleteGroup | TestGroup | N/A | |
| 2017-11-14T13:01:30.000-0700 | DetachGroupPolicy | TestGroup | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:01:19.000-0700 | UpdateGroup | tst_grp | N/A | |
| 2017-11-14T13:00:40.000-0700 | AttachGroupPolicy | tst_grp | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:00:40.000-0700 | CreateGroup | tst_grp | N/A | |

It seems that none of my case comparisons are evaluating to true. I've included the policyArn field to ensure it is actually populated and there are no typos.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-14-2017 08:58 PM

Hi

Can you please try this?

sourcetype="aws:cloudtrail" eventName= *Group* 
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-14-2017 08:58 PM

Hi

Can you please try this?

sourcetype="aws:cloudtrail" eventName= *Group* 
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn

Thanks

0 Karma
Reply
Solved! Jump to solution

tgrogan_stack
Explorer
‎11-15-2017 06:56 AM

Renaming requestParameters.policyArn worked. Thank you.

Please post this as an answer so I can mark it as the accepted answer.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-15-2017 07:09 AM

@tgrogan_stack, please accept @kamlesh_vaghela's answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎11-14-2017 08:49 PM

Try this!

| eval Detail=case(eventName == "DetachGroupPolicy", requestParameters.policyArn, eventName == "AttachGroupPolicy", requestParameters.policyArn, 1=1, "N/A" )

0 Karma
Reply
Solved! Jump to solution

tgrogan_stack
Explorer
‎11-15-2017 06:59 AM

This did address the issue of the comparison, but renaming the requestParameters.policyArn field, as suggested by kamlish provided the results I was seeking.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...