We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
About 99% of logs have the value "unknown" for the user field
When the user field is known from one of the other fields such as SourceUser, DestinationUser etc, that should be reflected in user
EVAL-user contains single quotes around field names. You only need single quotes when the field names have dots in them.
Replace the single quotes. Solution:
EVAL-user = case(SourceUser!="null",SourceUser,SourceUserName !="null",SourceUserName,src_user!="null",src_user,dest_user!="null",dest_user,recipient!="null",recipient,sender!="null",sender,true(),"unknown")
Run index=* sourcetype="pan:firewall_cloud" | top user
index=* sourcetype="pan:firewall_cloud" | top user
Observe that about 99% of the events have "unknown" as the field value
The issue gives incorrect results when working with the data, especially when trying to normalize it to fit into the Network Traffic DM.
The text was updated successfully, but these errors were encountered:
🎉 Thanks for opening your first issue here! Welcome to the community!
Sorry, something went wrong.
No branches or pull requests
Describe the bug
About 99% of logs have the value "unknown" for the user field
Expected behavior
When the user field is known from one of the other fields such as SourceUser, DestinationUser etc, that should be reflected in user
Current behavior
EVAL-user contains single quotes around field names. You only need single quotes when the field names have dots in them.
Possible solution
Replace the single quotes. Solution:
EVAL-user = case(SourceUser!="null",SourceUser,SourceUserName !="null",SourceUserName,src_user!="null",src_user,dest_user!="null",dest_user,recipient!="null",recipient,sender!="null",sender,true(),"unknown")
Steps to reproduce
Run
index=* sourcetype="pan:firewall_cloud" | top user
Observe that about 99% of the events have "unknown" as the field value
Screenshots
Context
The issue gives incorrect results when working with the data, especially when trying to normalize it to fit into the Network Traffic DM.
Your Environment
The text was updated successfully, but these errors were encountered: