Good day all,
This is my first post so please bear with me
I am working on a search for the Netskope CASB product
index=test user=johndoe
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time
My search seems to contain incompatible fields, action=allow and fields alert_name, alert_type,
for the "action" field the values will be either ( allow, block, alert )
the allow action will never have an "alert_name" or "alert_type" associated with it but I need to see those values for when the action is "alert" or "block"
With my current search above I only see action=block & action=alert never any action=allow
I want to be able to see action=allow and if action=block i want to see "alert_name", "alert_type",
if action=allow then "alert_name", "alert_type" will have empty values
I am really hoping I made sense here 🙂
Thanks and have a great day!
😉
Thank you.
I tried the below search
index=test user=johndoe* action=*
|fillnull alert_type, alert_name value="N/A"
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time
I tried shifting the fillnull around to no effect. On the events page I see the allows but in the statistics it is still not showing up. see attached images. it is a bit baffling to me
Thanks!
| fillnull value="N/A" alert_type alert_name
Thank you.
I tried the below search
index=test user=johndoe* action=*
|fillnull alert_type, alert_name value="N/A"
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time
I tried shifting the fillnull around to no effect. On the events page I see the allows but in the statistics it is still not showing up. see attached images. it is a bit baffling to me
Thanks!
Your image only shows the first 3 columns. What is to the right? Also, you are showing that there are 3 values for alert_type and alert_name. What values do you have there?