Search Configuration help - CloudTrail S3 bucket path and search

Question

I'd like to search a CloudTrail S3 bucket. What I want to search is "in all accounts" and only in "US-EAST-2" region for event name:"Assume Role". I'm not sure if I configured the Dataset correctly and/or how to do the search.

Regarding the Dataset bucket path. This is the S3 folder layout:
AWSLogs/subfolder/<ACCOUNT>/CloudTrail/<REGION>/YYYY/MM/DD

In the Dataset config, i'm not sure what to put in the bucket path. Especially for the <Account> and <Region> parts
My guess is something like this
AWSLogs/subfolder/${ACCOUNT}/CloudTrail/${REGION}/${_time:%Y}/${_time:%m}/${_time:%d}

Regarding search:
What I want to search is "in all accounts" and only in "US-EAST-2" region for event name:"Assume Role"
When I did:
dataset="CloudTrail_DATASET_NAME" | limit 1000
it returns no results. Not sure what I'm missing

Thanks

Jon Rust · Answer

If you haven't already, check out our docs on the subject. FWIW, the best performance will come from having date and time at the start of the path. (If you have a choice.)

Your guess is good. With that partition expression, you can search for ACCOUNT = "something*" REGION="*else"

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded