All Apps and Add-ons

Trouble creating a Pie Chart with URL filtering

DeanDeleon0
Path Finder

Hello all!

I am using the dashboards generated in the Palo Alto Networks App and attempting to divide the http_category (for URL filtering) to group them into specific other categories and then create a Pie Chart of the results. The results of the search add the count of each correctly, but I am unable to how this work "visually".

Basically I want to flag specific "http_category" events as "Good", "Bad", and "Grey area" as an example. So that "Bad" could contain sports, shopping and games, "Good" could contain government, legal and news, etc...

I am able to get correct numbers (by adding them up manually to verify) with this following search:

| tstats  values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url"     """"    log.action="*" GROUPBY _time log.dest_name log.app:category log.http_category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(eval(http_category="sports" OR http_category="shopping" OR http_category="games")) as bad, sum(eval(http_category="legal" OR http_category="government" OR http_category="news")) as good, sum(eval(http_category="music" OR http_category="religion" OR http_category="media")) as "grey area"

Any suggestions on how I can resolve this or am I looking at this completely wrong? Any help with be very much appreciated.

Thanks,

Dean

0 Karma
1 Solution

btorresgil
Builder

Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category, http_category_verdict

For each http category, set a verdict of good, bad, or gray area. Then, whenever you have results with an http_category field, just pipe to the lookup table:

<rest of search> | lookup your-lookup-table http_category

That will reference the lookup table and add a field called http_category_verdict to each log based on the http category of each log.

Hope that helps!

View solution in original post

0 Karma

btorresgil
Builder

Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category, http_category_verdict

For each http category, set a verdict of good, bad, or gray area. Then, whenever you have results with an http_category field, just pipe to the lookup table:

<rest of search> | lookup your-lookup-table http_category

That will reference the lookup table and add a field called http_category_verdict to each log based on the http category of each log.

Hope that helps!

View solution in original post

0 Karma

DeanDeleon0
Path Finder

Thanks! This simplified things.

0 Karma