Forum Discussion
How to combined query with same table.
Hi Guys,
I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is going to overlap. thats why i have to run query with "OR" operator so Threat "cat" field will not overlap with System "cat" field. Please help me.
.
CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)
combined with "OR" condition
| where Activity == "SYSTEM"
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
- Clive_WatsonBronze ContributorWould this help?
CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| where AdditionalExtensions contains "cat="
| extend threat_ = iif (Activity=="THREAT",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend system_ = iif (Activity=="SYSTEM",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend all_ = strcat(threat_,system_)- akshay250692Brass Contributornot working as expected
- Clive_WatsonBronze Contributor
akshay250692 in what way, please explain?