Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Trouble creating a Pie Chart with URL filtering
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all!
I am using the dashboards generated in the Palo Alto Networks App and attempting to divide the http_category (for URL filtering) to group them into specific other categories and then create a Pie Chart of the results. The results of the search add the count of each correctly, but I am unable to how this work "visually".
Basically I want to flag specific "http_category" events as "Good", "Bad", and "Grey area" as an example. So that "Bad" could contain sports, shopping and games, "Good" could contain government, legal and news, etc...
I am able to get correct numbers (by adding them up manually to verify) with this following search:
| tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.http_category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(eval(http_category="sports" OR http_category="shopping" OR http_category="games")) as bad, sum(eval(http_category="legal" OR http_category="government" OR http_category="news")) as good, sum(eval(http_category="music" OR http_category="religion" OR http_category="media")) as "grey area"
Any suggestions on how I can resolve this or am I looking at this completely wrong? Any help with be very much appreciated.
Thanks,
Dean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category, http_category_verdict
For each http category, set a verdict of good, bad, or gray area. Then, whenever you have results with an http_category field, just pipe to the lookup table:
<rest of search> | lookup your-lookup-table http_category
That will reference the lookup table and add a field called http_category_verdict to each log based on the http category of each log.
Hope that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rather than trying to sum an eval, my suggestion is to create a lookup. The lookup could have two columns: http_category, http_category_verdict
For each http category, set a verdict of good, bad, or gray area. Then, whenever you have results with an http_category field, just pipe to the lookup table:
<rest of search> | lookup your-lookup-table http_category
That will reference the lookup table and add a field called http_category_verdict to each log based on the http category of each log.
Hope that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This simplified things.
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
