Background:
My windows AD users are in index "windersAD". All of their web traffic is logged in index "wsa".
I would like to have a table with the timestamp, userID, source_IP, the URL, and the Web Category.
So far I have started with this:
**index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full="Online Storage*" | fields src, cs_url | dedup src ] | table _time, user, src, cs_url, x_webcat_code_full | dedup src**
What I get is "No results found". I don't think that I am passing the user filed values correctly. Please help!
Thanks in advance!
↧