cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Directory Search in ConfigurationChange

SH30
Contributor

‎Feb 22 2018 07:10 PM - last edited on ‎Apr 07 2022 04:54 PM by

‎Feb 22 2018 07:10 PM - last edited on ‎Apr 07 2022 04:54 PM by

Directory Search in ConfigurationChange

I'm having an issue searching in ConfigurationChange against directories across workspaces.

When I run my initial query in only one workspace I am able to get results back on what changes were made within those directories (see screenshot 1, also below).

search in (ConfigurationChange)

(@"/var/adm" or @"/etc/*.conf")

Results yield changes to /var/adm/mount

 

How can I do this across workspaces? I am starting off with this in the query:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange

 

I tried adding "search in" between union and workspace but it errors out, played with the parentheses as well and no luck. Is there a way to do this where it would look like the following:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where FileSystemPath @"/var/adm"   --> Essentially trying to replicate the query above where it searches that specified directory/path.

Pretty much everything I tried doesn't work out. Any suggestions?

 

Regards,

Sean

Labels:
Preview file
10 KB
1,057 Views
0 Likes
4 Replies
Reply
4 Replies
Stanislav Zhelyazkov

‎Feb 26 2018 02:48 AM

‎Feb 26 2018 02:48 AM

Re: Directory Search in ConfigurationChange

Hi

When you work with the query language almost never use search. It is always better to reference the table directly instead.

So instead of 

search in (ConfigurationChange)
(@"/var/adm" or @"/etc/*.conf")

do:

ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf"

Assuming that you know you want to search in ConfigurationChange table and FileSystemPath rule.

Notice also because you are not using syntax the filtering is changed as well.

Because of that when using union your query should be something like this:

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange | where FileSystemPath == @"/var/adm"

Hope this explains it and works.

0 Likes
Reply
SH30

‎Feb 26 2018 09:11 AM

‎Feb 26 2018 09:11 AM

Re: Directory Search in ConfigurationChange

Thanks for the info. So when trying this out with the method below, it does not yield any results, however, when I do it with "search in" that is able to grab any activity within that directory.

 

When doing:

ConfigurationChange | where FileSystemPath == @"/var/adm" or FileSystemPath == @"/etc/*.conf

 I think this only targets the name of the path and nothing actually under it.

 

Where as when I search: 

search in (ConfigurationChange)
(@"/var/adm" or @"/etc/*.conf")

 I am able to see activity related to FileSystemPath about /var/adm/mount.

 

Is it possible to yield the results I am looking for using the query you suggested?

 

Thanks,

Sean

0 Likes
Reply
best response confirmed by Stanislav Zhelyazkov (MVP)
Stanislav Zhelyazkov

‎Feb 26 2018 09:35 AM

‎Feb 26 2018 09:35 AM

Solution

Re: Directory Search in ConfigurationChange

Ok. Than may be this way.

 

union workspace('workspace1').ConfigurationChange, workspace('workspace2').ConfigurationChange  | where * has @"/var/adm" or * has @"/etc/*.conf"

Reference: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/search-operator

 

1 Like
Reply
SH30

‎Feb 26 2018 09:46 AM

‎Feb 26 2018 09:46 AM

Re: Directory Search in ConfigurationChange

Yep, that's what I was looking for, thanks again!

0 Likes
Reply