Hello,
I am trying to find a way to show events which are not meeting transaction requirements. So of course I can't use |transaction
. I was thinking to use eval if or case, but I would be grateful for help. What I've got is:
index=abc host=server
source="C:\\...\\Logs\\ex*"
OR source="C:\\...\\cmdout1.log"
OR source="C:\\...\\cmdout2.log"
created OR encrypt
|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
|stats values(*) as * by FileN
|table data_cre FileN encry date_enc
All works fine, but from results, I'd like to get rid of some events. Rule would be: ignore if "created" and "encrypt" matches FileN. That way, I would see only those files that didn't make it to the "encryption" step, which means error for those files.
Thanks,
- F.
Yeah i'm bloody idiot... It was soooo simple, almost like somesoni2 suggested.
I wanted to post it yesterday, but Karma didn't let me post more than 2 each day.
|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
|stats values(*) as * by FileN
|eval processed=if(match(date_enc, "\d"), "Yep", "Nope")
|table data_cre FileN processed date_enc
|search processed="Nope"
Because date_enc always have first digit, i can easy check on it. And if file didn't made it to the encryption step, field "date_enc" is empty. To find error files i only needed to search for it. Thanks for help anyway 🙂
Yeah i'm bloody idiot... It was soooo simple, almost like somesoni2 suggested.
I wanted to post it yesterday, but Karma didn't let me post more than 2 each day.
|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
|stats values(*) as * by FileN
|eval processed=if(match(date_enc, "\d"), "Yep", "Nope")
|table data_cre FileN processed date_enc
|search processed="Nope"
Because date_enc always have first digit, i can easy check on it. And if file didn't made it to the encryption step, field "date_enc" is empty. To find error files i only needed to search for it. Thanks for help anyway 🙂
Give this a try
index=abc host=server source="C:\\...\\Logs\\ex*" OR source="C:\\...\\cmdout1.log" OR source="C:\\...\\cmdout2.log"
created OR encrypt | eval type=if(match(_raw,"created"),"created","encrypt")
|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
|stats values(*) as * by FileN | where mvcount(type)=1
|table data_cre FileN encry date_enc type
Can you please post an example of an event you want to discard? Especially the value of the FileN field would be interesting, as this is the one you want to compare with your search strings.
There are two events. One is "created", which says file was created in system correctly, and second is "encrypt", which says file was processed correctly. As you can see, i've made a table out of it. As final result, i want table not to show those rows, which have encrypt event matched.
In events below "90004-K-P-60721-01-30430489-14" is FileN, and it occurs in both "created" and "encrypt".
Event #1 "encrypt" - this i want to hide
Command: c:(cut)_pgp_encrypt.cmd 90004-K-P-60721-01-30430489-14.zip.end \(cut)\plpic
... 3 lines omitted ...
(cut)
... 21 lines omitted ...
C:(cut)>if on == on echo Thu 07/28/2016- 8:30:08.91 OK - launch "c:(cut)pgp_encrypt.cmd" 90004-K-P-60721-01-30430489-14.zip.end \(cut)\script-072816-083008-15583.log
... 45 lines omitted ...
0x1419A3FE:encrypt ( (cut) )
\(cut)\90004-K-P-60721-01-30430489-14.zip:encrypt ( (cut) \OUT\90004-K-P-60721-01-30430489-14.zip.pgp)
Event #2 "created"
2016-07-28 06:24:24 80.55.107.10 - (cut) [2035]created /90004-K-P-60721-01-30430489-14.fwd.pgp - 226 - 218196 - 22