Basically, I am trying to visualize all events which match up to the initial query, and provide a bar graph output. Then, I want to perform another query which overlays events that are also "pan_wildfire" events. Here's the query I currently have. It works, but doesn't provide anything meaningful.
index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked | timechart count(action) by date | appendcols [search index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked eventtype = pan_wildfire] | timechart count(action) by date
If I remove everything after the first "timechart", I get the timechart I expect. What I am hoping to accomplish is to show that data, then overlay in a different color the second timechart visualization. I expect this to be a much smaller piece of data, but it's important I show those as well.
UPDATE
index="paloalto" (src_zone=zoneA OR src_zone=zoneB) app=ssl
| timechart span=1d count as All_Decrypted_Traffic
,count(eval(flags=decrypted
AND type=THREAT
AND threat!="MP4 Detected(52104)"
AND action=blocked)) as All_Blocked_count
,count(eval(eventtype="pan_wildfire_malicious")) as Pan_Wildfire_Blocked_count
I think you create 4 counts.
Well, I'm trying to show a graph of overall SSL traffic (which is the first part), then a graph showing the decrypted traffic (index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)"), then a final part showing the wildfire events (which is a very small number of things, and this is currently searching via timechart count as All_Blocked_count count(eval(eventtype= pan_wildfire)) as Pan_Wildfire_Blocked_count )
I would like this all as three separate bar charts or line charts- basically, to show the difference between each type of traffic flow. We start with SSL traffic, decrypt a small part of that (and I want to show the threat events found in decrypted traffic), then I finally want to show the wildfire findings in that decrypt traffic.
@z432u4kvfkcg when your intent is to plot a timechart, the reason to split by date field is not so clear. Also, based on the search you have provided seems like you dont need subsearch appendcols at all. Please try the following:
index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked
| timechart count as All_Blocked_count count(eval(eventtype= pan_wildfire)) as Pan_Wildfire_Blocked_count
So that worked a lot better, but the Pan_wildfire_blocked isn't showing any events, when I know for a fact I have them. I had one today, but it's not showing up anywhere.
I want to show this by date because I want to understand a day-by-day trend for decrypted threat events vs. decrypted threat events which also have the pan_wildfire event type.
Hi @z432u4kvfkcg eventtype=pan_wildfire
exists then the query should work.
Do you get results when you perform the following command:
index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked eventtype=Pan_wildfire
Or what do you see when you run the following:
index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked
| stats count by eventtype
Also adding span=1d should bucket daily stats for you. For example: | timechart span=1d ............
Ok, one last snag. Now I'm trying to compare both of these to overall SSL traffic in a specific zone. Here's the query, but I'm obviously doing something wrong with how I am nesting the previous two pieces into the new part (which is index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl ) because I get this error:
Error in 'timechart' command: The eval expression for dynamic field 'flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid. Error='The operator at 'type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid.'.
New query:
index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl | timechart count as All_Decrypted_Traffic count(eval(flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked)) as Decrypted_Threat | timechart count as All_Blocked_count count(eval(eventtype="pan_wildfire_malicious")) as Pan_Wildfire_Blocked_count
Yes, I get results for both. I found out I needed to enclose pan_wildfire in quotes, so it actually needed to be something like threat_category="wildfire" or it never found the events.
Thanks for the help!