Solved

For CloudTrail, how would I format a query to look for the follow pattern?

Forum|Forum|9 months ago
March 11, 2025
4 replies
3 views

Steve Litras
Employee

Hello. I have a basic CloudTrail bucket and would like to have the account number part of the bucket path be able to be specified in a Cribl Search.
How would I format a search query that looks for “account” 12345 if the path is as follows. …/AWSLogs/${account}/CloudTrail/…

Best answer by dritan

dataset=mydataset account=12345

D

dritan
Employee
Answer
Forum|Forum|9 months ago
March 11, 2025

dataset=mydataset account=12345

Like

S

Steve Litras
Author
Employee
Forum|Forum|9 months ago
March 11, 2025

That's what I figured it would be, but wasn't seeing results. I let it run for 30 seconds this time and it showed results after I cancelled the search.

Like

D

dritan
Employee
Forum|Forum|9 months ago
March 11, 2025

oh, maybe some ui refresh issues?

Like

S

Steve Litras
Author
Employee
Forum|Forum|9 months ago
March 11, 2025

It must have been, but It's working now. just taking a bit longer than I was allowing it to run.Thanks for helping confirm/sanity check for me :slightly_smiling_face:

Like

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded