Filter Search Query results not the same as Search page query

I’m trying to create some definitions for Events, and I can get search results using the Search page, but when I use the same search in the Search Query, I do not receive any (or the same) results.

I’m specifically searching Palo-Alto 9 logs. Some examples:

These work in Search, but not in the Search Query in the Event Definition:

I can get this one to work in Search Query, but it leaves out any that are “medium-risk,unknown”:
http_url_category contains “medium-risk”

I’ve looked through the documentation and searched the forum, but haven’t found anything similar.

What would be the appropriate syntax to get a queries similar to:

  • alert_category:unknown
  • http_url_category:“medium-risk,unknown”

to work?

try to use AND, OR in query depends on your requirements.

medium-risk,unknown is one single value in field, or you want to query one of the values in field http_url_category?

I believe medium-risk,unknown is one single value in the field http_url_category. I would like to be able to get events that have either “medium-risk” or “unknown”. I would settle for “medium-risk,unknown”.

Another that seems to work in the Search, but not Search Query is:

  • vendor_event_action: block-url

I’ve tried:
vendor_event_action: block-url
vendor_event_action: block-url
vendor_event_action: “block-url”

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.