Directory Search in ConfigurationChange

SH30 · ‎Feb 22 2018

I'm having an issue searching in ConfigurationChange against directories across workspaces.

When I run my initial query in only one workspace I am able to get results back on what changes were made within those directories (see screenshot 1, also below).

search in (ConfigurationChange)

(@"/var/adm" or @"/etc/*.conf")

Results yield changes to /var/adm/mount

How can I do this across workspaces? I am starting off with this in the query:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange

I tried adding "search in" between union and workspace but it errors out, played with the parentheses as well and no luck. Is there a way to do this where it would look like the following:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where FileSystemPath @"/var/adm" --> Essentially trying to replicate the query above where it searches that specified directory/path.

Pretty much everything I tried doesn't work out. Any suggestions?

Regards,

Sean

Stanislav Zhelyazkov · ‎Feb 26 2018

Hi

When you work with the query language almost never use search. It is always better to reference the table directly instead.

So instead of

search in (ConfigurationChange)
(@"/var/adm" or @"/etc/*.conf")

do:

ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf"

Assuming that you know you want to search in ConfigurationChange table and FileSystemPath rule.

Notice also because you are not using syntax the filtering is changed as well.

Because of that when using union your query should be something like this:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where FileSystemPath == @"/var/adm"

Hope this explains it and works.

SH30 · ‎Feb 26 2018

Thanks for the info. So when trying this out with the method below, it does not yield any results, however, when I do it with "search in" that is able to grab any activity within that directory.

When doing:

ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf

I think this only targets the name of the path and nothing actually under it.

Where as when I search:

search in (ConfigurationChange)
(@"/var/adm" or @"/etc/*.conf")

I am able to see activity related to FileSystemPath about /var/adm/mount.

Is it possible to yield the results I am looking for using the query you suggested?

Thanks,

Sean

Stanislav Zhelyazkov · ‎Feb 26 2018

Ok. Than may be this way.

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange  | where * has @"/var/adm" or * has @"/etc/*.conf"

Reference: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/search-operator

SH30 · ‎Feb 26 2018

Yep, that's what I was looking for, thanks again!

Stanislav Zhelyazkov · ‎Feb 26 2018

Ok. Than may be this way.

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange  | where * has @"/var/adm" or * has @"/etc/*.conf"

Reference: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/search-operator

View solution in original post

Directory Search in ConfigurationChange

Directory Search in ConfigurationChange

Re: Directory Search in ConfigurationChange

Re: Directory Search in ConfigurationChange

Re: Directory Search in ConfigurationChange

Re: Directory Search in ConfigurationChange

Re: Directory Search in ConfigurationChange

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Directory Search in ConfigurationChange