Hello,
This probably a stu*** question, but I am not able to find a clear answer.
My code to generate the lookup table works.
Here are the contents of my lookup table.
Input field **acct** Ex: *user1*
Output fields **aid** and **adr** Exs: *1111* and *10.10.10.10*
Input field is selected from a drop down in dashboard panel.
Need to search for events containing any combination of **acct**, **aid** and/or **adr**.
My code results in the same events containing all 3 of these fields.
Here is my code.
index="linuxevents" AND host=ru.us AND source="/var/log/audit/audit.log" AND earliest="09/23/2019:14:28:00" AND latest="09/23/2019:14:30:00"
`comment(" AND (acct="user1" OR auid=aid OR addr=adr) ")`
| lookup myAAAlookup.csv acct
| where (acct="user1") OR (auid=aid) OR (addr=adr)
| table _time, event_id, host, acct, auid, aid, addr, adr, _raw
Note: If I comment out the where command and uncomment the matching terms AND, the same events are generated containing ALL 3 fields.
Isn't there a simple way to do this?
Thanks in advance and God bless,
Genesius
↧