@PrewinThomas , I removed the transaction command. Lets make it simple. I need a table like this which plots the blocked numbers of emails, firewalls, DLP, EDR, Web proxy and WAF for last 6 months ...
See more...
@PrewinThomas , I removed the transaction command. Lets make it simple. I need a table like this which plots the blocked numbers of emails, firewalls, DLP, EDR, Web proxy and WAF for last 6 months showing the count for each month and its total similar to this. What I did was modified each query to give data for last 6months for each parameter and I then simply append that to one table which is not a good practice. Hence I am here asking help from the experts. I can share the individual queries if that helps- Email - | tstats summariesonly=false dc(Message_Log.msg.header.message-id) as Blocked from datamodel=pps_ondemand where (Message_Log.filter.routeDirection="inbound") AND (Message_Log.filter.disposition="discard" OR Message_Log.filter.disposition="reject" OR Message_Log.filter.quarantine.folder="Spam*") earliest=-6mon@mon latest=now by _time -- here from the datamodel pps, I am simply counting the Spam, inbound and discard emails DLP- index=forcepoint_dlp sourcetype IN ("forcepoint:dlp","forcepoint:dlp:csv") action="blocked" earliest=-6mon@mon latest=now | bin _time span=1mon | stats count(action) as Blocked by _time Web Proxy- index=zscaler* action=blocked sourcetype="zscalernss-web" earliest=-6mon@mon latest=now | bin _time span=1mon | stats count as Blocked by _time EDR- index=crowdstrike-hc sourcetype="CrowdStrike:Event:Streams:JSON" "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* earliest=-6mon@mon latest=now | bin _time span=1mon | search action=blocked NOT action=allowed | stats dc(event.DetectId) as Blocked by _time WAF- tstats `security_content_summariesonly` count as Blocked from datamodel=Web where sourcetype IN ("alertlogic:waf","aemcdn","aws:*","azure:firewall:*") AND Web.action="block" earliest=-6mon@mon latest=now by _time -- web is an accelerated datamodel in my environment `security_content_summariesonly` expands to summariesonly=false allow_old_summaries=true fillnull_value=null lastly, Firewall- | tstats `security_content_summariesonly` count as Blocked from datamodel=Network_Traffic where sourcetype IN ("cp_log", "cisco:asa", "pan:traffic") AND All_Traffic.action="blocked" earliest=-6mon@mon latest=now by _time