Forum Discussion
How to combined query with same table.
Hi Guys, I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is g...
Would this help?
CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| where AdditionalExtensions contains "cat="
| extend threat_ = iif (Activity=="THREAT",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend system_ = iif (Activity=="SYSTEM",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend all_ = strcat(threat_,system_)
CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| where AdditionalExtensions contains "cat="
| extend threat_ = iif (Activity=="THREAT",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend system_ = iif (Activity=="SYSTEM",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend all_ = strcat(threat_,system_)
- not working as expected
akshay250692 in what way, please explain?
works for me, unless akshay was expecting another result.
(I don't have system logs coming in so an empty column is expected)
