Just a Sample

In the right Sample Data pane, we can see this Pack includes a sample of some firewall traffic called pan_firewall_traffic.log. This is probably the capture that Ed was working from. Let's explore it to admire the results of our SecOps admin’s fine work.

important

Load up the sample

1. In the Sample Data pane, click Simple next to pan_firewall_traffic.log
2. In the top left corner of the Preview Pane, click Out

Now we are looking at the output of this Pipeline and its collection of Functions. In case you are not familiar with the color coding in the Preview pane, here is a brief explanation:

note

Colors in the sample pane

• Green is a net new field. A field was added to the event by Stream. This is usually when you are separating information from a long _raw field or if you want to enrich the event by adding something not there, like the host or index.
• Orange is a modified field. Here, something was changed. The field isn’t new and the field wasn’t deleted, but some information was changed. This is usually done when cleaning up a dirty field, like getting rid of the time stamp in _raw.
• Red is a deleted field. This field and information were deleted from the event. To reduce size, original fields are deleted after useful information is pulled out, cleaned up, or put into other fields.

With these colors in mind, we can see how Ed’s comments line up with the actual results. Neat.

All that’s left to do is move this Pack into production and let it work its magic!