Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to filter COMMAND twice?

jackjack
Path Finder
‎11-23-2021 01:36 PM

Hello all,

I am trying to setup a search that logs ufw commands, while ignoring any ufw status commands. I have tried a number of methods so far but cannot get the COMMAND field to filter appropriately.

Here is a version of the search: 

```

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw"
| table _time host user _raw
| where COMMAND!="*/usr/sbin/ufw status*"

```

I've tried a number of things including trying NOT instead of !, searching for various strings (status, *status*, etc.), filtering on the _raw field instead of COMMAND, using search instead of where, putting the table after the where, etc.

I cannot get the events to filter out. It seems like I either get all the events or none of the events depending on the filter I choose.

Any help here?

Thank you!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jackjack
Path Finder
‎11-29-2021 05:00 PM

Thanks for your suggestions!

Turns out the field never exists in a parsed state. This query solved the issue for me. 

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command

View solution in original post

0 Karma
Reply
Solved! Jump to solution

johnhuang
Motivator
‎11-24-2021 06:33 AM

"Why am I unable to filter COMMAND twice?"

The reason why you can't filter the COMMAND at the end is because that field no longer exists after being dropped when you specified "| table _time host user _raw".

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 07:04 AM

I'm an idiot for not spotting that and have modified by answer accordingly.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

jackjack
Path Finder
‎11-29-2021 05:00 PM

Thanks for your suggestions!

Turns out the field never exists in a parsed state. This query solved the issue for me. 

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 06:14 AM

The where command does not support wildcards.  You must use the match or like function or the search command.

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| search COMMAND!="*/usr/sbin/ufw status*"
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT match(COMMAND, "\/usr\/sbin\/ufw status")
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT like(COMMAND, "%/usr/sbin/ufw status%")

 

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...