Directory Search in ConfigurationChange


I'm having an issue searching in ConfigurationChange against directories across workspaces.

When I run my initial query in only one workspace I am able to get results back on what changes were made within those directories (see screenshot 1, also below).

search in (ConfigurationChange)

(@"/var/adm" or @"/etc/*.conf")

Results yield changes to /var/adm/mount


How can I do this across workspaces? I am starting off with this in the query:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange


I tried adding "search in" between union and workspace but it errors out, played with the parentheses as well and no luck. Is there a way to do this where it would look like the following:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where FileSystemPath @"/var/adm"   --> Essentially trying to replicate the query above where it searches that specified directory/path.

Pretty much everything I tried doesn't work out. Any suggestions?




4 Replies


When you work with the query language almost never use search. It is always better to reference the table directly instead.

So instead of 

search in (ConfigurationChange)
(@"/var/adm" or @"/etc/*.conf")


ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf"

Assuming that you know you want to search in ConfigurationChange table and FileSystemPath rule.

Notice also because you are not using syntax the filtering is changed as well.

Because of that when using union your query should be something like this:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where FileSystemPath == @"/var/adm" 

Hope this explains it and works.

Thanks for the info. So when trying this out with the method below, it does not yield any results, however, when I do it with "search in" that is able to grab any activity within that directory.


When doing:

ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf

 I think this only targets the name of the path and nothing actually under it.


Where as when I search:

search in (ConfigurationChange)
(@"/var/adm" or @"/etc/*.conf")

 I am able to see activity related to FileSystemPath about /var/adm/mount.


Is it possible to yield the results I am looking for using the query you suggested?




best response confirmed by Stanislav Zhelyazkov (MVP)

Ok. Than may be this way.


union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange  | where * has @"/var/adm" or * has @"/etc/*.conf"



Yep, that's what I was looking for, thanks again!