Splunk Search

Why am I unable to filter COMMAND twice?

jackjack
Path Finder

Hello all,

I am trying to setup a search that logs ufw commands, while ignoring any ufw status commands. I have tried a number of methods so far but cannot get the COMMAND field to filter appropriately.

Here is a version of the search: 

```

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw"
| table _time host user _raw
| where COMMAND!="*/usr/sbin/ufw status*"

```

I've tried a number of things including trying NOT instead of !, searching for various strings (status, *status*, etc.), filtering on the _raw field instead of COMMAND, using search instead of where, putting the table after the where, etc.

I cannot get the events to filter out. It seems like I either get all the events or none of the events depending on the filter I choose.

Any help here?

Thank you!

Labels (1)
Tags (1)
0 Karma
1 Solution

jackjack
Path Finder

Thanks for your suggestions!

Turns out the field never exists in a parsed state. This query solved the issue for me. 

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command

View solution in original post

0 Karma

johnhuang
Motivator

"Why am I unable to filter COMMAND twice?"

The reason why you can't filter the COMMAND at the end is because that field no longer exists after being dropped when you specified "| table _time host user _raw".

richgalloway
SplunkTrust
SplunkTrust

I'm an idiot for not spotting that and have modified by answer accordingly.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jackjack
Path Finder

Thanks for your suggestions!

Turns out the field never exists in a parsed state. This query solved the issue for me. 

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where command does not support wildcards.  You must use the match or like function or the search command.

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| search COMMAND!="*/usr/sbin/ufw status*"
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT match(COMMAND, "\/usr\/sbin\/ufw status")
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT like(COMMAND, "%/usr/sbin/ufw status%")

 

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...