Solved: Issues with Case statement

tgrogan_stack · ‎11-14-2017

I have reviewed a number of already answered questions related to case statements but none that seem to address the issue I am having. I am trying to create a table to show AWS CloudTrail events associated with creating, deleting, modifying IAM groups in AWS.

I have no problem with basic details but I am attempting to use a case statement so I can display additional detail for events associated with attaching or detaching a policy to a group, namely the policy that is being attached or detached.

Here is my search string, and the results:

sourcetype="aws:cloudtrail" eventName= *Group* 
| eval Detail=case(eventName == DetachGroupPolicy, requestParameters.policyArn, eventName == AttachGroupPolicy, requestParameters.policyArn, 1=1, "N/A" ) 
| rename requestParameters.groupName as Group, userIdentity.userName as "Performed by" 
| table _time, eventName, Group, Detail, requestParameters.policyArn

RESULTS:
| _time | eventName | Group | Detail | requestParameters.policyArn |
|--------------------------------------------|-----------------------------|------------------|----------|-----------------------------------------------------------|
| 2017-11-14T13:01:30.000-0700 | DeleteGroup | TestGroup | N/A | |
| 2017-11-14T13:01:30.000-0700 | DetachGroupPolicy | TestGroup | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:01:19.000-0700 | UpdateGroup | tst_grp | N/A | |
| 2017-11-14T13:00:40.000-0700 | AttachGroupPolicy | tst_grp | N/A | arn:aws:iam::aws:policy/ReadOnlyAccess |
| 2017-11-14T13:00:40.000-0700 | CreateGroup | tst_grp | N/A | |

It seems that none of my case comparisons are evaluating to true. I've included the policyArn field to ensure it is actually populated and there are no typos.

kamlesh_vaghela · ‎11-14-2017

Hi

Can you please try this?

sourcetype="aws:cloudtrail" eventName= *Group* 
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn

Thanks

View solution in original post

kamlesh_vaghela · ‎11-14-2017

Hi

Can you please try this?

sourcetype="aws:cloudtrail" eventName= *Group* 
| rename requestParameters.policyArn As requestParameters_policyArn,requestParameters.groupName as Group, userIdentity.userName as "Performed by"
| eval Detail=case(eventName=="DetachGroupPolicy" OR eventNam =="AttachGroupPolicy" ,requestParameters_policyArn, 1=1, "N/A" )
| table _time, eventName, Group, Detail, requestParameters_policyArn

Thanks

tgrogan_stack · ‎11-15-2017

Renaming requestParameters.policyArn worked. Thank you.

Please post this as an answer so I can mark it as the accepted answer.

niketn · ‎11-15-2017

@tgrogan_stack, please accept @kamlesh_vaghela's answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

HiroshiSatoh · ‎11-14-2017

Try this!

| eval Detail=case(eventName == "DetachGroupPolicy", requestParameters.policyArn, eventName == "AttachGroupPolicy", requestParameters.policyArn, 1=1, "N/A" )

tgrogan_stack · ‎11-15-2017

This did address the issue of the comparison, but renaming the requestParameters.policyArn field, as suggested by kamlish provided the results I was seeking.

Issues with Case statement

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms