Skip to main content

Function Examples

Let's try a few examples. If you've moved away from the Capture Sample Data modal, restore it:

note
  1. If you're not alreadly there, select Manage from Stream's top nav, then select Processing > Pipelines from the submenu.
  2. Click the Capture Data button in the right pane.

In any of the capture examples, you may need to increase the capture time to ensure you get events. This can be done when you click the Capture... button.

For each of the expressions below, repeat the same steps you used for our first round of examples:

important
  1. Copy the expression.
  2. Paste it into the modal's Filter Expression field, replacing any existing expression.
  3. Click the modal's Capture... button, and then click Start in the resulting drop-down.
  4. Examine the results returned in the right pane.
  5. Repeat the above four steps for the next expression.

Each expression's results will show up in the Capture Sample Data modal's right pane. Here are the examples:

important

Look for pan:traffic firewall events that have a source IP address that is an RFC1918 "private" address.

sourcetype==='pan:traffic' && C.Net.isPrivate(src_ip)

Look for pan:traffic firewall events that represent traffic originating internally, but egressing the network.

sourcetype==='pan:traffic' && C.Net.isPrivate(src_ip) && ! C.Net.isPrivate(dest_ip)

This example matches any pan:traffic firewall events that have a destination hostname that ends in amazonaws.com.

sourcetype==='pan:traffic' && dest_hostname.endsWith("amazonaws.com")

This example matches any event that does not have a sourcetype, but contains the word CRON. In our example data set, this will return the /var/log/syslog file events from the cron daemon.

!sourcetype && _raw.includes("CRON")

On to Value Expressions!