Hi Guys,
Right now I'm trying to set up a Splunk query to look for a series of Unix commands within either a multi-valued field (with all the commands) or a string that includes the command line. My only problem is that I'm unsure how to do the matching and I was planning on using a lookup table to hold all of the commands that I'm looking for. I've been leaning towards doing a regex implementation, but it just seems sloppy. Any ideas?
Hi linu1988, I'm not planning on running the Linux, this search is meant to look through collections of Unix logs. My problem is that I'm trying to look at a multivalve field from that search and figure out if any of those values are the input of a lookup table I have. For example, the log could have a field like: cp, mv, rm,and I'm looking to see if rm (or some other commands are in there).. I'm hesitant to do a huge regex, but think it may be my only option.
evenif it's multi valued the field contains the keyword. I haven't tested as i don't have relevant data. Try it out, see if it's not working, use the multikv command to separate the mv fields, make it single valued field.
Hi Linu1988, I'm not too versed in sub-searches. How would the loaded csv be compared to a multi-valued field?
For example, if I set the cvs up like this (don't worry about the values, I had a user-defined mapping originally)
CSV: fields are on top
|command|val..|val..|
|su |12321|12312|
|rm |12313|12312|
|mv |32134|12352|
and I'm trying to check if an excel field that has values like below is in there (all one cell, it's multi-valued):
| mv |
| cp |
| ls |
Thanks for the help
Ahh i get it, So lookup is the best option/ a csv containing the commands. Just use a subsearch and get the result.
e.g.
Index=blah sourcetype=blah [|inputcsv command.csv]| table _raw
note:make sure any single column should be present to match
How do you plan to execute unix command? Are the data indexed? If yes then the source=* will give you all the commands' result. then see how it can be done. Correct me if i am wrong.