Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to filter COMMAND twice?

jackjack
Path Finder
‎11-23-2021 01:36 PM

Hello all,

I am trying to setup a search that logs ufw commands, while ignoring any ufw status commands. I have tried a number of methods so far but cannot get the COMMAND field to filter appropriately.

Here is a version of the search: 

```

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw"
| table _time host user _raw
| where COMMAND!="*/usr/sbin/ufw status*"

```

I've tried a number of things including trying NOT instead of !, searching for various strings (status, *status*, etc.), filtering on the _raw field instead of COMMAND, using search instead of where, putting the table after the where, etc.

I cannot get the events to filter out. It seems like I either get all the events or none of the events depending on the filter I choose.

Any help here?

Thank you!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jackjack
Path Finder
‎11-29-2021 05:00 PM

Thanks for your suggestions!

Turns out the field never exists in a parsed state. This query solved the issue for me. 

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command

View solution in original post

0 Karma
Reply
Solved! Jump to solution

johnhuang
Motivator
‎11-24-2021 06:33 AM

"Why am I unable to filter COMMAND twice?"

The reason why you can't filter the COMMAND at the end is because that field no longer exists after being dropped when you specified "| table _time host user _raw".

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 07:04 AM

I'm an idiot for not spotting that and have modified by answer accordingly.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

jackjack
Path Finder
‎11-29-2021 05:00 PM

Thanks for your suggestions!

Turns out the field never exists in a parsed state. This query solved the issue for me. 

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 06:14 AM

The where command does not support wildcards.  You must use the match or like function or the search command.

 

index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| search COMMAND!="*/usr/sbin/ufw status*"
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT match(COMMAND, "\/usr\/sbin\/ufw status")
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT like(COMMAND, "%/usr/sbin/ufw status%")

 

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...