This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

getting value as Null

Go to solution
sharmas2
Participant

‎13 May 2025 03:21 PM

I am getting Null value in IPReputationSICategory field ..

PFB raw logs:-

DstIP=194.20.78.49, SrcPort=40227, DstPort=3257, Protocol=tcp, IngressInterface=DPB1-IN, EgressInterface=DPB1-OUT, IngressZone=CITADEL-Milan-DPB1, EgressZone=CITADEL-Milan-DPB1, ACPolicy=NGSS2-Milan, Prefilter Policy=NGSS2-Milan-Prefilter, InitiatorPackets=1, ResponderPackets=0, InitiatorBytes=58, ResponderBytes=0, SecIntMatchingIP=Source, IPReputationSICategory=Custom-Blocklist-Global-IP_FS, ClientAppDetector=AppID, HostName=IT1IPS03P4N1-1_2
Show less..

 

fetch logs // scanLimitGBytes: , samplingRatio: 1000
| filter contains(dt.security_context, "ngss")

| parse content,"LD 'IPReputationSICategory: '[0-9a-zA-Z-]{1,100}?:IPReputationSICategory','"
| summarize count(),by :{IPReputationSICategory,index}

for output please refer the attachment ..

sharmas2_0-1747146056272.png

 

Labels:
0 Kudos
Reply
2 REPLIES 2

Go to solution
cchanka
Visitor

‎13 May 2025 04:01 PM

Below DQL might work

fetch logs // scanLimitGBytes: , samplingRatio: 1000
| filter contains(dt.security_context, "ngss")
| parse content,"LD 'IPReputationSICategory=' LD:IPReputationSICategory ','"
| summarize count(),by :{IPReputationSICategory,index}
0 Kudos
Reply

Go to solution
marco_irmer
Champion

‎13 May 2025 10:14 PM - edited ‎13 May 2025 10:15 PM

Your log sample shows an equal sign character ('=') as the separator between the key and value, but your DPL pattern is using the colon character (':'). I believe this is the most likely cause of your issue. The DQL shared by @cchanka above is amended accordingly and this change is the reason it works.

0 Kudos
Reply
Ask a question

Featured Posts