How to split the following status="Deny" priority=...

rolfiee · ‎09-23-2016

Hi All,

I have the following search result, but how to split it in a nice view e.g. like row names and values.

Sep 23 10:25:53 10.240.9.3 device="SFW" date=2016-09-23 time=10:25:37 timezone="CEST" device_name="SFVUNL" device_id=C01001HG7RJMW4D log_id=010302602002 log_type="Security Policy" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="PortD" out_interface="" src_mac=3c:4a:92:e7:17:70 src_ip=0.0.0.0 src_country_code= dst_ip=255.255.255.255 dst_country_code= protocol="UDP" src_port=68 dst_port=67 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat"

Thanks!

sundareshr · ‎09-23-2016

Append table command to the end. Try this

your current query | table * | fields - _raw

How to split the following status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...