Forum Discussion
How to combined query with same table.
Hi Guys, I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is g...
not working as expected
akshay250692 in what way, please explain?
works for me, unless akshay was expecting another result.
(I don't have system logs coming in so an empty column is expected)
- clive define for particular
| where AdditionalExtensions contains "cat="
that is not my requirement.- Just remove that line, it was there just to filter the records down in my testing, line 6 you may not want either. This was merely to show you the iif/iff command in use
- CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)
up to here i m good.
now in same table "commonsecuritylog" there is another activity called "system" in which also "cat" field as already same "cat " field in above query for activity "threat". if i m applying query then it is overlapping system "cat" with threat "cat". so i want to separate column for both "cat" field. so that overlapping will not happen.
i want merge above query with below query
| whrer activity in ("SYSTEM")
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
is it possible ?
