cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to combined query with same table.

akshay250692
Brass Contributor

‎Oct 31 2022 03:14 AM

‎Oct 31 2022 03:14 AM

How to combined query with same table.

Hi Guys,

 

I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is going to overlap. thats why i have to run  query with "OR" operator so Threat "cat" field will not overlap with System "cat" field. Please help me.

.

CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)

 

combined with "OR" condition

 

| where Activity == "SYSTEM"
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)

Labels:
1,360 Views
0 Likes
7 Replies
Reply
7 Replies
Clive_Watson

‎Oct 31 2022 06:35 AM

‎Oct 31 2022 06:35 AM

Re: How to combined query with same table.

Would this help?

CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| where AdditionalExtensions contains "cat="
| extend threat_ = iif (Activity=="THREAT",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend system_ = iif (Activity=="SYSTEM",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend all_ = strcat(threat_,system_)
0 Likes
Reply
akshay250692

‎Oct 31 2022 06:51 AM

‎Oct 31 2022 06:51 AM

Re: How to combined query with same table.

not working as expected
0 Likes
Reply
Clive_Watson

‎Oct 31 2022 06:53 AM

‎Oct 31 2022 06:53 AM

Re: How to combined query with same table.

@akshay250692 in what way, please explain? 

0 Likes
Reply
akshay250692

‎Oct 31 2022 07:03 AM

‎Oct 31 2022 07:03 AM

Re: How to combined query with same table.

CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)
up to here i m good.
now in same table "commonsecuritylog" there is another activity called "system" in which also "cat" field as already same "cat " field in above query for activity "threat". if i m applying query then it is overlapping system "cat" with threat "cat". so i want to separate column for both "cat" field. so that overlapping will not happen.
i want merge above query with below query
| whrer activity in ("SYSTEM")
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)

is it possible ?
0 Likes
Reply
SocInABox

‎Oct 31 2022 07:04 AM

‎Oct 31 2022 07:04 AM

Re: How to combined query with same table.

@Clive_Watson 

works for me, unless akshay was expecting another result.

(I don't have system logs coming in so an empty column is expected)

bobsyouruncle_0-1667224966542.png

 

0 Likes
Reply
akshay250692

‎Oct 31 2022 07:10 AM

‎Oct 31 2022 07:10 AM

Re: How to combined query with same table.

clive define for particular
| where AdditionalExtensions contains "cat="
that is not my requirement.
0 Likes
Reply
Clive_Watson

‎Oct 31 2022 07:30 AM

‎Oct 31 2022 07:30 AM

Re: How to combined query with same table.

Just remove that line, it was there just to filter the records down in my testing, line 6 you may not want either. This was merely to show you the iif/iff command in use
0 Likes
Reply