hello everyone,
I just want to merge the 2 splunk searches.
In the first query, i have all information about mounting the usb key.
In the second query, i have the information about the unmounting the usb key.
The events that are used to mount and unmount the USB drive are not similar, so I want to add the unmount events to the mount event. You should know that in the unmount request I use the transaction command to group the log audit between them.
The first query (mount query😞
sourcetype="mtab_executer" OR source="unix:useraccounts"
| rex max_match=0 "(^|\n)(?<usb_key>\/\S+\s\/\S+)"
| eval user_id=coalesce(user_id, uid)
| eventstats latest(user) AS user BY user_id
| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(_time) AS c_time
| stats latest(c_time) AS Mount, latest(user) AS user, latest(user_id) AS user_id, count BY usb_key
The second query (unmount query😞
sourcetype="linux_audit" | transaction startswith="type=SYSCALL" endswith="type=PATH"
| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(_time) AS c_time
| stats latest(c_time) AS Umount, count BY name
I want to add the result of this search sourcetype="linux_audit" | transaction startswith="type=SYSCALL" endswith="type=PATH" to the result of this search sourcetype="mtab_executer" OR source="unix:useraccounts"
To summarize, all this I want to merge the 2 requests and display the table of the request 1 but I add the date of unmount of the key and more.
Thank you
Amir
... View more