Highlighted
vagner.silva Absent Member.
Absent Member.
272 views

Logger Dashboards - How Can I use "top" using columns starting with "ad."

Hello Guys,
Good Morning.

Is there a way to top those columns starting with "ad." ?

Let me explain what I am trying to do.

I have URL Filter running in the Firewall Checkpoint and some events that requestUrl is null I found an important information in the column "ad.appi_name".

But when I am trying to top like deviceProduct = "URL Filtering" deviceAction= block | where requestUrl is null | Top 10 ad.appi_name

the following erro is showing for me:

There was a problem: Failed parsing [10 ad.appi_name] got error: no viable alternative at character '.' Usage: | top [COUNT] (FIELD_NAME)+

What can I do?

Labels (1)
0 Likes
Reply
3 Replies
MarkSamark Super Contributor.
Super Contributor.

Re: Logger Dashboards - How Can I use "top" using columns starting with "ad."

Hi,

Additional data fields need to be mapped to a field first before it can be used in any analysis.

0 Likes
Reply
anirudhanayak@g Outstanding Contributor.
Outstanding Contributor.

Re: Logger Dashboards - How Can I use "top" using columns starting with "ad."

As Mark has already mentioned, you need to add these additional fields to Logger schema before you call those fields in a search query/report. To map those fields, you have to change the logger to maintenance mode and then do the mapping.

Follow the steps mentioned in the Logger admin guide starting page#: 306

Regards,

Anirudh

0 Likes
Reply
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Logger Dashboards - How Can I use "top" using columns starting with "ad."

Hi Vagner,

Map the ad.appi_name value to a standard field (e.g. deviceCustomString1) and then you can do a "TOP" on that value.

This guide [] is hands-down the best training "real world" resource I know of on how to map additional data fields.

Regard,

Richard

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.