We have ES up and running and I'm starting to review the various Security Domains and relevant dashboards/reports.
For Security Domain -- Network -- Web Center there is a widget of 'Events Over Time By Status' that when I send to a search returns values other than HTTP status codes (200, 401, etc).
I do a pivot of the web data model and select 'status' and 'sourcetype' and I see the pan:threat sourcetype from our Palo Alto logs included with values that do not correspond to HTTP status codes.
Where would, or how would I go about excluding the pan:threat sourcetype from either the search, or from 'status' altogether?
The search is as follows:
| `tstats` count from datamodel=Web.Web where * by _time,Web.status span=10m
| timechart minspan=10m useother=`useother` count by Web.status
| `drop_dm_object_name("Web")`
↧