Can someone explain why the "status_code" and "rep" fields below are necessary to identify uncategorized URLs in the App for McAfee Web Gateway?
index=mwg sourcetype=MWGaccess3 status_code!=407 status_code="5*" urlc="-" rep!="-"
Hello dluiz,
by excluding 5xx status codes you filter out various connectoins problems (like inability to resolve the destination host).
'rep!="-"' means include results where the Trusted Source Database was queried. In other case the results will include hosts from the white list.
best regards
Pavel
Hi @dluiz
In case you don't get an answer here, you can always contact the developer of the app directly. The contact information for the developer of an app is found on the bottom right panel of the app's page:
https://apps.splunk.com/app/1654/
For the this particular app, they also put their contact information at the bottom of the Overview tab which is splunk@compek.net
Thanks for the suggestions ppablo!
No problem, hope ya find an answer soon 🙂