We have updated our Terms of Service, Code of Conduct, and Addendum.

Search Configuration help - CloudTrail S3 bucket path and search

Mitchell Fang
Mitchell Fang Posts: 1
in Search

I'd like to search a CloudTrail S3 bucket. What I want to search is "in all accounts" and only in "US-EAST-2" region for event name:"Assume Role". I'm not sure if I configured the Dataset correctly and/or how to do the search.


Regarding the Dataset bucket path. This is the S3 folder layout:
AWSLogs/subfolder/<ACCOUNT>/CloudTrail/<REGION>/YYYY/MM/DD

In the Dataset config, i'm not sure what to put in the bucket path. Especially for the <Account> and <Region> parts
My guess is something like this
AWSLogs/subfolder/${ACCOUNT}/CloudTrail/${REGION}/${_time:%Y}/${_time:%m}/${_time:%d}

Regarding search:
What I want to search is "in all accounts" and only in "US-EAST-2" region for event name:"Assume Role"
When I did:
dataset="CloudTrail_DATASET_NAME" | limit 1000
it returns no results. Not sure what I'm missing

Thanks

Tagged:

Answers

  • Jon Rust
    Jon Rust Posts: 455 mod

    If you haven't already, check out our docs on the subject. FWIW, the best performance will come from having date and time at the start of the path. (If you have a choice.)

    Your guess is good. With that partition expression, you can search for ACCOUNT = "something*" REGION="*else"

Categories