Forum Discussion
KQL query not working
Hi everyone, I'm not a kusto expert so bare with me. I'm trying to replace a text to another text... The one in bold is what I'm tryng to use but is not working.
Basically the log doesn't make a reference for (9999) which is actually "URL filtering log"... and I need this this to show on the results... not as (9999) but as "URL filtering log". I've been trying to use
CommonSecurityLog
| where DeviceProduct has 'PAN-OS'
| where DeviceVendor =~ 'Palo AltoNetworks'
//| where DeviceEventClassID =~ 'correlation'
| extend ThreatId = extract('cat=([^;]+)', 1, AdditionalExtensions)
| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)', 1, AdditionalExtensions)
| extend str=strcat("9999", "9999", "URL")
| extend replaced=replace_string(str, '9999', 'URL')
| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity
| top 20 by Amount
RESULTS:
Would this work, just use ?
datatable (ThreatId:string) ["A value","9999","somthing else"] | extend ThreatId = iif(ThreatId == "9999","URL filtering log",ThreatId)
5 Replies
- Hi mikhailf, yes that's correct.
Would this work, just use ?
datatable (ThreatId:string) ["A value","9999","somthing else"] | extend ThreatId = iif(ThreatId == "9999","URL filtering log",ThreatId)
