Forum Discussion
Directory Search in ConfigurationChange
Ok. Than may be this way.
union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where * has @"/var/adm" or * has @"/etc/*.conf"Reference: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/search-operator
Hi
When you work with the query language almost never use search. It is always better to reference the table directly instead.
So instead of
search in (ConfigurationChange) (@"/var/adm" or @"/etc/*.conf")
do:
ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf"
Assuming that you know you want to search in ConfigurationChange table and FileSystemPath rule.
Notice also because you are not using syntax the filtering is changed as well.
Because of that when using union your query should be something like this:
union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where FileSystemPath == @"/var/adm"
Hope this explains it and works.
Thanks for the info. So when trying this out with the method below, it does not yield any results, however, when I do it with "search in" that is able to grab any activity within that directory.
When doing:
ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf
I think this only targets the name of the path and nothing actually under it.
Where as when I search:
search in (ConfigurationChange) (@"/var/adm" or @"/etc/*.conf")
I am able to see activity related to FileSystemPath about /var/adm/mount.
Is it possible to yield the results I am looking for using the query you suggested?
Thanks,
Sean
Ok. Than may be this way.
union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where * has @"/var/adm" or * has @"/etc/*.conf"Reference: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/search-operator
Yep, that's what I was looking for, thanks again!
