Search Configuration help - CloudTrail S3 bucket path and search

Question

I'd like to search a CloudTrail S3 bucket. What I want to search is "in all accounts" and only in "US-EAST-2" region for event name:"Assume Role". I'm not sure if I configured the Dataset correctly and/or how to do the search.

Regarding the Dataset bucket path. This is the S3 folder layout:

AWSLogs/subfolder/<ACCOUNT>/CloudTrail/<REGION>/YYYY/MM/DD

In the Dataset config, i'm not sure what to put in the bucket path. Especially for the <Account> and <Region> parts

My guess is something like this

AWSLogs/subfolder/${ACCOUNT}/CloudTrail/${REGION}/${_time:%Y}/${_time:%m}/${_time:%d}

Regarding search:

What I want to search is "in all accounts" and only in "US-EAST-2" region for event name:"Assume Role"

When I did:

dataset="CloudTrail_DATASET_NAME" | limit 1000

it returns no results. Not sure what I'm missing

Thanks

Page 1 / 1

If you haven't already, check out our docs on the subject. FWIW, the best performance will come from having date and time at the start of the path. (If you have a choice.)

Your guess is good. With that partition expression, you can search for ACCOUNT = "something*" REGION="*else"

Reply

Jon Rust · Answer

If you haven't already, check out our docs on the subject. FWIW, the best performance will come from having date and time at the start of the path. (If you have a choice.)

Your guess is good. With that partition expression, you can search for ACCOUNT = "something*" REGION="*else"

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded