Solved: Issues with Case statement

tgrogan_stack · ‎11-14-2017

I have reviewed a number of already answered questions related to case statements but none that seem to address the issue I am having. I am trying to create a table to show AWS CloudTrail events associated with creating, deleting, modifying IAM groups in AWS.

I have no problem with basic details but I am attempting to use a case statement so I can display additional detail for events associated with attaching or detaching a policy to a group, namely the policy that is being attached or detached.

Here is my search string, and the results:

sourcetype="aws:cloudtrail" eventName= *Group* 
| eval Detail=case(eventName == DetachGroupPolicy, requestParameters.policyArn, eventName == AttachGroupPolicy, requestParameters.policyArn, 1=1, "N/A" ) 
| rename requestParameters.groupName as Group, userIdentity.userName as "Performed by" 
| table _time, eventName, Group, Detail, requestParameters.policyArn

RESULTS:
| _time | eventName | Group | Detail | requestParameters.policyArn |
|--------------------------------------------|-----------------------------|------------------|----------|-----------------------------------------------------------|
| 2017-11-14T13:01:30.000-0700 | DeleteGroup | TestGroup | N/A | |
| 2017-11-14T13:01:30.000-0700 | DetachGroupPolicy | TestGroup | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:01:19.000-0700 | UpdateGroup | tst_grp | N/A | |
| 2017-11-14T13:00:40.000-0700 | AttachGroupPolicy | tst_grp | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:00:40.000-0700 | CreateGroup | tst_grp | N/A | |

It seems that none of my case comparisons are evaluating to true. I've included the policyArn field to ensure it is actually populated and there are no typos.

kamlesh_vaghela · ‎11-14-2017

Hi

Can you please try this?

sourcetype="aws:cloudtrail" eventName= *Group* 
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn

Thanks

View solution in original post

kamlesh_vaghela · ‎11-14-2017

Hi

Can you please try this?

sourcetype="aws:cloudtrail" eventName= *Group* 
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn

Thanks

tgrogan_stack · ‎11-15-2017

Renaming requestParameters.policyArn worked. Thank you.

Please post this as an answer so I can mark it as the accepted answer.

niketn · ‎11-15-2017

@tgrogan_stack, please accept @kamlesh_vaghela's answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

HiroshiSatoh · ‎11-14-2017

Try this!

| eval Detail=case(eventName == "DetachGroupPolicy", requestParameters.policyArn, eventName == "AttachGroupPolicy", requestParameters.policyArn, 1=1, "N/A" )

tgrogan_stack · ‎11-15-2017

This did address the issue of the comparison, but renaming the requestParameters.policyArn field, as suggested by kamlish provided the results I was seeking.

Issues with Case statement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation