Forum Discussion
How to combined query with same table.
Hi Guys, I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is g...
akshay250692 in what way, please explain?
CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)
up to here i m good.
now in same table "commonsecuritylog" there is another activity called "system" in which also "cat" field as already same "cat " field in above query for activity "threat". if i m applying query then it is overlapping system "cat" with threat "cat". so i want to separate column for both "cat" field. so that overlapping will not happen.
i want merge above query with below query
| whrer activity in ("SYSTEM")
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
is it possible ?
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)
up to here i m good.
now in same table "commonsecuritylog" there is another activity called "system" in which also "cat" field as already same "cat " field in above query for activity "threat". if i m applying query then it is overlapping system "cat" with threat "cat". so i want to separate column for both "cat" field. so that overlapping will not happen.
i want merge above query with below query
| whrer activity in ("SYSTEM")
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
is it possible ?