Forum Discussion

Copper Contributor

Feb 22, 2018

Solved

Directory Search in ConfigurationChange

I'm having an issue searching in ConfigurationChange against directories across workspaces. When I run my initial query in only one workspace I am able to get results back on what changes were made...

azure monitor

Query Language

Stanislav_Zhelyazkov
Feb 26, 2018
Ok. Than may be this way.

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where * has @"/var/adm" or * has @"/etc/*.conf"

Reference: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/search-operator

pho30

Copper Contributor

Feb 26, 2018

Thanks for the info. So when trying this out with the method below, it does not yield any results, however, when I do it with "search in" that is able to grab any activity within that directory.

When doing:

ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf

I think this only targets the name of the path and nothing actually under it.

Where as when I search:

search in (ConfigurationChange)
(@"/var/adm" or @"/etc/*.conf")

I am able to see activity related to FileSystemPath about /var/adm/mount.

Is it possible to yield the results I am looking for using the query you suggested?

Thanks,

Sean

Stanislav_Zhelyazkov

MVP

Feb 26, 2018

Ok. Than may be this way.

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange  | where * has @"/var/adm" or * has @"/etc/*.conf"

Reference: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/search-operator

pho30
Copper Contributor
Feb 26, 2018
Yep, that's what I was looking for, thanks again!