Well, I'm trying to show a graph of overall SSL traffic (which is the first part), then a graph showing the decrypted traffic (index="paloalto" flags=decrypted type=THREAT threat!="MP4 Detected(52104)"), then a final part showing the wildfire events (which is a very small number of things, and this is currently searching via timechart count as All_Blocked_count count(eval(eventtype= pan_wildfire)) as Pan_Wildfire_Blocked_count ) I would like this all as three separate bar charts or line charts- basically, to show the difference between each type of traffic flow. We start with SSL traffic, decrypt a small part of that (and I want to show the threat events found in decrypted traffic), then I finally want to show the wildfire findings in that decrypt traffic. ... View more

Ok, one last snag. Now I'm trying to compare both of these to overall SSL traffic in a specific zone. Here's the query, but I'm obviously doing something wrong with how I am nesting the previous two pieces into the new part (which is index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl ) because I get this error: Error in 'timechart' command: The eval expression for dynamic field 'flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid. Error='The operator at 'type=THREAT threat!="MP4 Detected(52104)" action=blocked' is invalid.'. New query: index="paloalto" src_zone=zoneA OR src_zone=zoneB app=ssl | timechart count as All_Decrypted_Traffic count(eval(flags=decrypted type=THREAT threat!="MP4 Detected(52104)" action=blocked)) as Decrypted_Threat | timechart count as All_Blocked_count count(eval(eventtype="pan_wildfire_malicious")) as Pan_Wildfire_Blocked_count ... View more

Yes, I get results for both. I found out I needed to enclose pan_wildfire in quotes, so it actually needed to be something like threat_category="wildfire" or it never found the events. Thanks for the help! ... View more

So that worked a lot better, but the Pan_wildfire_blocked isn't showing any events, when I know for a fact I have them. I had one today, but it's not showing up anywhere. I want to show this by date because I want to understand a day-by-day trend for decrypted threat events vs. decrypted threat events which also have the pan_wildfire event type. ... View more