diff --git a/SplunkforPaloAltoNetworks/default/data/ui/views/web_activity.xml b/SplunkforPaloAltoNetworks/default/data/ui/views/web_activity.xml index fc4eb388..c16c1a98 100644 --- a/SplunkforPaloAltoNetworks/default/data/ui/views/web_activity.xml +++ b/SplunkforPaloAltoNetworks/default/data/ui/views/web_activity.xml @@ -1,7 +1,7 @@
- | tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" $serial$ $vsys$ $src_ip$ $dest_name$ "$user|s$" $app$ $content$ $category$ $action$ GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action | rename log.* AS * + | tstats summariesonly=t values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" $serial$ $vsys$ $src_ip$ $dest_name$ "$user|s$" $app$ $content$ $category$ $action$ GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action | rename log.* AS * $time.earliest$ $time.latest$ @@ -307,7 +307,7 @@ file_name=$row.file_name|s$&earliest=$time.earliest$&latest=$time.latest Decrypted Traffic - | tstats values(log.flags) AS log.flags, values(log.user) AS log.user, count FROM datamodel=pan_firewall WHERE nodename="log.url" GROUPBY _time log.src_ip log.dest_name log.category log.app log.action log.content_type log.vendor_action | rename log.* AS * | search flags="decrypted" | table _time src_ip user dest_name category app flags count + | tstats summariesonly=t values(log.flags) AS log.flags, values(log.user) AS log.user, count FROM datamodel=pan_firewall WHERE nodename="log.url" GROUPBY _time log.src_ip log.dest_name log.category log.app log.action log.content_type log.vendor_action | rename log.* AS * | search flags="decrypted" | table _time src_ip user dest_name category app flags count -60m now 1