Groups Table

The groups table displays the result of the analysis by listing the groups and the corresponding values for the following default fields:

More Topics:

Column Details

Field (s)

The field that’s used to analyze the group

Count

The number of log records in the group

Start Time

The start of the time period for which the logs are considered for the analysis

End Time

The end of the time period for which the logs are considered for the analysis

Group Duration

The duration of the log event for the group

Add URLs to Link Table

You can create links using the url function of the eval command.

Additional Topics:

In the following query, the values for Search 1, Search 2, and Search 3 are assigned URLs:

'Log Source' = 'Database Alert Logs' 
| link cluster() 
| where 'Potential Issue' = '1' 
| nlp keywords('Cluster Sample') as 'Database Error' 
| eval 'Search 1' = url('https://www.google.com/search?q=' || 'Database Error') 
| eval 'Search 2' = url('https://www.google.com/search?q=' || 'Database Error', Errors) 
| eval 'Search 3' = url(google, 'Database Error')

Link table with the links added using the url function in the eval command

In the above analysis:

  • Search 1, Search 2, and Search 3 are now clickable Fields. Click the link to view the search results for those keywords.

  • Search 2 does not display the entire URL. Instead, the second parameter in the url function is used to give the URL a different name, for example, Errors.

  • Search 3 is similar to Search 1, but the short-cut google is used to generate the URL. Instead of using the whole URL, you can use similar short-cuts.

Use URL Short-Cut with Custom Name

Consider the following example where a name is provided for the short-cut:

'Log Source' = 'Database Alert Logs' 
| link cluster() 
| where 'Potential Issue' = '1' 
| nlp keywords('Cluster Sample') as 'Database Error' 
| eval 'Search 1' = url('https://www.google.com/search?q=' || 'Database Error') 
| eval 'Search 2' = url('https://www.google.com/search?q=' || 'Database Error', Errors) 
| eval 'Search 3' = url(google, 'Database Error') 
| eval 'Search 4' = url(google, 'Search Using Google', 'Database Error')
| eval 'Search 5' = url(duckduckgo, 'Search Using DuckDuckGo', 'Database Error')

Oracle-defined shortcuts google and duckduckgo and their custom names

In the above example, Search 4 is similar to Search 3 but only differs in the name given to the short-cut in Search 4. The short-cut google has the name Search Using Google which is displayed in the table. In Search 5, the short-cut duckduckgo has the name Search Using DuckDuckGo which is displayed in the table. For a full list of Oracle-defined short-cuts available with the url function, see Oracle-Defined url Short-Cuts.

Use the CVE Short-cut to Link to CVE Databases

Use the cve short-cut in the url function to create a link to the CVE repository.

'Log Source' like '%Access Logs%' 
| link 'Client Host Continent' 
| addfields [ jndi | stats count as 'JNDI Count' ],
            [ URI like '%context.get(%com.opensymphony.xwork2.dispatcher.httpservletresponse%' | stats count as 'GetContext Count' ] 
| eval 'Threat ID' = if('JNDI Count' > 0,       'CVE-2021-44228',
                        'GetContext Count' > 0, 'CVE-2013-2251',
                        null) 
| eval Description = if('JNDI Count' > 0,       'Log4j Vulnerability - ' || 'Threat ID',
                        'GetContext Count' > 0, 'Struts Exploit - '      || 'Threat ID',
                         null) 
| eval CVE = url(cve, Description, 'Threat ID')
| fields -'Threat ID', -Description, -'JNDI Count', -'GetContext Count'

CVE Shortcut to Link to CVE Databases

In the above example, the CVE column links to the CVE repository for the value of each Client Host Continent from the Access Logs.

Use the OCID Shortcut to Automatically Link to OCI Resources

Use the ocid short-cut in the url() function to create a link to a relevant page to OCI. If the resource has a specific page, then the URL would point to the direct link. Otherwise the URL would point to the Resource Query Service results for that OCID.

'Log Source' = 'OCI Audit Logs' and 'Resource ID' like 'ocid%' and 
'Resource ID' not like in ('%managementsavedsearch%', '%managementdashboard%', '%organizationsentity%', '%coreservicesworkrequest%')
| eval 'Resource Type' = substr('Resource ID', 6, indexOf('Resource ID', '.', 6))
| link 'Resource Type'
| stats earliest('Resource ID') as 'Resource ID'
| eval 'OCI Resource' = url(ocid, 'Resource ID')
| sort 'Resource Type'
| fields -'Start Time', -'End Time', -Count, -'Resource ID'

OCID Shortcut to Link to OCI Resources

In the above example, the OCID of each OCI resource type is picked up from the OCI Audit Logs.

Hide, Show, or Order the Table Columns

Use the fields target = ui command to control the fields that should be hidden or shown in the link groups table. You can also use this command to control the order of the fields.

Here are a few examples:

Hide all the Time fields, order the table as Size, Log Source, Count:

* | eval 'Raw Size' = unit('Raw Size', byte)
 | link 'Log Source'
 | stats sum('Raw Size') as Size
 | fields target = ui -'*Time', Size, 'Log Source', Count

Same as above, but using multiple fields commands:

* | eval 'Raw Size' = unit('Raw Size', byte)
 | link 'Log Source'
 | stats sum('Raw Size') as Size
 | fields target = ui -'*Time'
 | fields target = ui Size, 'Log Source', Count 

Combination of fields and fields target = ui (fields without target = ui performs filtering in the backend):

* | eval 'Raw Size' = unit('Raw Size', byte)
 | link 'Log Source'
 | stats sum('Raw Size') as Size
 | fields -'*Time'
 | fields target = ui Size, 'Log Source', Count