Hello all!
I am using the dashboards generated in the Palo Alto Networks App and attempting to divide the http_category (for URL filtering) to group them into specific other categories and then create a Pie Chart of the results. The results of the search add the count of each correctly, but I am unable to how this work "visually".
Basically I want to flag specific "http_category" events as "Good", "Bad", and "Grey area" as an example. So that "Bad" could contain sports, shopping and games, "Good" could contain government, legal and news, etc...
I am able to get correct numbers (by adding them up manually to verify) with this following search:
| tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.http_category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(eval(http_category="sports" OR http_category="shopping" OR http_category="games")) as bad, sum(eval(http_category="legal" OR http_category="government" OR http_category="news")) as good, sum(eval(http_category="music" OR http_category="religion" OR http_category="media")) as "grey area"
Any suggestions on how I can resolve this or am I looking at this completely wrong? Any help with be very much appreciated.
Thanks,
Dean
Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category
, http_category_verdict
For each http category, set a verdict of good
, bad
, or gray area
. Then, whenever you have results with an http_category field, just pipe to the lookup table:
<rest of search> | lookup your-lookup-table http_category
That will reference the lookup table and add a field called http_category_verdict
to each log based on the http category of each log.
Hope that helps!
Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category
, http_category_verdict
For each http category, set a verdict of good
, bad
, or gray area
. Then, whenever you have results with an http_category field, just pipe to the lookup table:
<rest of search> | lookup your-lookup-table http_category
That will reference the lookup table and add a field called http_category_verdict
to each log based on the http category of each log.
Hope that helps!
Thanks! This simplified things.