Dashboards & Visualizations

Search seems to contain incompatible fields

Explorer

Good day all,
This is my first post so please bear with me
I am working on a search for the Netskope CASB product

 

 

index=test user=johndoe
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time

 

 

My search seems to contain incompatible fields, action=allow and fields alert_name, alert_type,
for the "action" field the values will be either ( allow, block, alert )

the allow action will never have an "alert_name" or "alert_type" associated with it but I need to see those values for when the action is "alert" or "block"
With my current search above I only see action=block & action=alert never any action=allow

I want to be able to see action=allow and if action=block i want to see "alert_name", "alert_type",
if action=allow then "alert_name", "alert_type" will have empty values

I am really hoping I made sense here 🙂

Thanks and have a great day!

😉

Labels (1)
Tags (2)
1 Solution

Explorer

Thank you.

I tried the below search

 

index=test user=johndoe* action=*
|fillnull  alert_type, alert_name value="N/A"
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time

 

 

I tried shifting the fillnull around to no effect. On the events page I see the allows but in the statistics it is still not showing up. see attached images. it is a bit baffling to me

Thanks!

View solution in original post

0 Karma

Builder
| fillnull value="N/A" alert_type alert_name

Explorer

Thank you.

I tried the below search

 

index=test user=johndoe* action=*
|fillnull  alert_type, alert_name value="N/A"
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time

 

 

I tried shifting the fillnull around to no effect. On the events page I see the allows but in the statistics it is still not showing up. see attached images. it is a bit baffling to me

Thanks!

View solution in original post

0 Karma

Builder

Your image only shows the first 3 columns. What is to the right? Also, you are showing that there are 3 values for alert_type and alert_name. What values do you have there?

0 Karma

Explorer

There are six alert_type values so far and numerous alert_name values

Thanks!

0 Karma