Hello,
My colleague and I noticed an issue in the following SPL.
If there is data, the SPL works. If there isn't any events, this error message comes up. How can this situation be handled cleanly?
"**Error in 'search' command: Unable to parse the search: Invalid search: OR OR.**"
`comment("THIS WORKS. 912 events new code. ~2:15 mins")`
index="linuxevents"
AND earliest=-24h@h AND latest=@h
AND host=server1
AND (source="/var/log/sudo.log" OR source="/var/log/secure" OR source="/var/log/audit/audit.log")
`comment("70 events -- audit.log -- acct or auid -- overlap with first 'OR subsearch'")`
AND [ search index="linuxevents"
AND earliest=-24h@h AND latest=@h
AND host=server1
AND source="/var/log/audit/audit.log"
AND (acct="user1" OR auid="1014")]
`comment("46 events -- audit.log -- ip address")`
OR [ search index="linuxevents"
AND earliest=-24h@h AND latest=@h
AND host=server1
AND source="/var/log/audit/audit.log"
AND acct="user1"
AND (auid!="0" AND auid!="4294967295")
AND addr!="?"
| head limit=1
| eval addr="\"".addr."\""
| return $addr ]
`comment("2 events -- audit.log -- new auid")`
OR [ search index="linuxevents"
AND earliest=-24h@h AND latest=@h
AND host=server1
AND source="/var/log/audit/audit.log"
AND (_raw="*new auid*" AND "1014") ]
| dedup _raw
| transaction event_id
`comment("7 events -- secure -- user or ip address.")`
| append
[ search index="linuxevents"
AND earliest=-24h@h AND latest=@h
AND (source="/var/log/sudo.log" OR source="/var/log/secure")
AND host=server1
| rex field=_raw "for\suser\s(?[\w\-]*)"
| rex field=_raw "publickey\sfor\s(?[\w\-]*)"
| rex field=_raw "\sfrom\s(?(?:\d{1,3}\.){3}\d{1,3})|\sfrom\s(?[0-9a-zA-z\.\-]*)"
| where userId="user1" OR ipAddr="10.10.10.10" ]
| eval log=case(source=="/var/log/sudo.log", "sudo", source=="/var/log/secure", "secure", source=="/var/log/audit/audit.log", "audit")
| sort +_time
| table _time, log, host, addr, ipAddr, auid, acct, userId, pcName, ses, pid, _raw
Thanks and God bless,
Genesius
↧