Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Specific query - question

Copper Contributor

Hi, I need assistance please.

Given the following query:


F5_CL
| where TimeGenerated >= ago(3m) //change to required time
| extend RawData=split(RawData, '##') //split all raw data to specific values
| extend remote_address = tostring(RawData[1]) // take external remote address
| extend URL_Path = trim(@'\?(.*)',trim(@'([^\s]+)',tostring(RawData[5])))
|extend responseStatus = tostring(RawData[3])
| summarize count() by URL_Path,remote_address
| where responseStatus != "403" and responseStatus != "404" and responseStatus != "503" and count_ > 150 and remote_address != ""

 

The problem is that responseStatus is not recognized in "where" line since it's not summarize. I don't want it to be summarize since it will split all values of responseStatus.

 

Anybody has idea how and responseStatus != "503" will be valid in "where" line?

 

I hope the question is clear, Thanks.

2 Replies
Can you move this line BEFORE the summarize

| where responseStatus != "403" and responseStatus != "404" and responseStatus != "503" and remote_address != ""

then have this line afterwards the summarize?>

| where count_ > 150

@CliveWatson 
Wow!
It works, Thanks!!