...
| Expand |
|---|
|
box.win_nxlog.dhcp
ddi.infoblox.dhcp.dhcpd
dhcp.bluecat.dhcpd
dhcp.infoblox.stdout
dhcp.isc.stdout
dhcp.microsoft.ip4
dhcp.microsoft.ip6
dhcp.unix.stdout
firewall.paloalto.system
|
Table structure
This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:
| Note |
|---|
Extra columns Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
Data type | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
|
--srcIp- | | |
source_ip | str
| | |
source_ipv4 | ip4
|
-srcHost-destMac-srcMac--leaseIpAddress-leaseHardwareAddress-leaseHardwareAddress | |
message | str
|
--- Field transformations
Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.
| Rw ui tabs macro |
|---|
[ box.win_nxlog.dhcp ] [ ddi.infoblox.dhcp.dhcpd ] [ dhcp.bluecat.dhcpd ] [ dhcp.infoblox.stdout ] [dhcp.microsoft.ip4] ddiinfoblox.dhcpdddiinfoblox.dhcpdddibox.infobloxwin_nxlog.dhcp.dhcpdField in union table | Field in source table | Field transformation |
|---|
Data typeType | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
ddiinfoblox.dhcpdmessage_typeCategory | | str
| | source_ip | IPAddress_ip4 | | Code Block |
|---|
str(IPAddress_ip4) |
| str
| | source_ipv4 | source_ipv4 | | ip4
| | source_hostname | source_hostname | | str
| | source_mac | source_mac | | str
| | destination_mac | destination_mac | | str
| | description | BndStatus | | str
| | lease_ip | lease_ip | | str
| | lease_mac | lease_mac | | str
| | message | Message | | str
|
srcIpip4(0.0.0.0)ip4srcHost | rawTagged | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
|
destMac| Anchor |
|---|
| ddi.infoblox.dhcp.dhcpd |
|---|
| ddi.infoblox.dhcp.dhcpd |
|---|
|
ddi.infoblox.dhcp.dhcpdField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
null('')'ddi.infoblox.dhcp.dhcpd' |
| str
| | signature | message_type | | str
|
srcMac | source_ip | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_hostname | source_hostname | | str
| | source_mac | source_mac | | str
| | destination_mac | destination_mac | | str
| | description | - | | str
|
leaseIpAddress | leaseIpAddressleaseHardwareAddress | leaseHardwareAddress | lease_mac | lease_mac | | str
| | message | message | | str
| | rawSource | rawMessage | | str
| | rawTagged | tag rawMessage |
tag | | Code Block |
|---|
tag + ": " + rawMessage |
| str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| dhcp.bluecat.dhcpd |
|---|
| dhcp.bluecat.dhcpd |
|---|
|
dhcp.bluecat.dhcpdField in union table | Field in source table | Field transformation |
|---|
Data type| Code Block |
|---|
null('')Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
'dhcp.bluecat.dhcpd' |
| str
| | signature | signature | | str
| | source_ip | srcIp | | str
| | source_ipv4 | source_ipv4 | | ip4
|
srcHost | - | source_hostname | source_hostname | | str
|
destMac | destMacsrcMac | srcMacleaseHardwareAddress | - | | | destination_mac | destination_mac | | str
| | description | - | | str
|
leaseIpAddress | - | | str
| lease_ip | lease_ip | | str
| | lease_mac | lease_mac | | str
| | message | message | | str
| | rawSource | rawSource | | str
| | rawTagged | rawTagged | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| dhcp.infoblox.stdout |
|---|
| dhcp.infoblox.stdout |
|---|
|
dhcp.infoblox.stdoutField in union table | Field in source table | Field transformation |
|---|
Data typeType | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
'dhcp.infoblox.stdout' |
| str
| | signature | packet | | str
|
srcIp(ip40.0.0.0'))ip4
| srcHost | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_hostname | source_hostname | | str
| | source_mac | source_mac | | str
| | destination_mac | destination_mac | | str
| | description | - | | str
| | lease_ip | lease_ip | | str
| | lease_mac | lease_mac | | str
| | message | message | | str
| | rawSource | rawSource | | str
| | rawTagged | rawTagged | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
|
destMac| Anchor |
|---|
| dhcp.isc.stdout |
|---|
| dhcp.isc.stdout |
|---|
|
dhcp.isc.stdoutField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
null(')str
| srcMac | - | | Code Block |
|---|
null('') | str
| | signature | packet | | str
| | source_ip | ofAddress | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_hostname | source_hostname | | str
| | source_mac | source_mac | | str
| | destination_mac | destination_mac | | str
| | description | - | | str
|
leaseIpAddress | leaseIpAddressleaseHardwareAddress | leaseHardwareAddress | lease_mac | lease_mac | | str
| | message | message | | str
| | rawSource | rawSource | | str
| | rawTagged | rawTagged | | str
| | rawMessage |
rawMessagerawSource | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ dhcp.microsoft.ip4 ] [ dhcp.microsoft.ip6 ] [ dhcp.unix.stdout ] [ firewall.paloalto.system ] | Anchor |
|---|
| dhcp.microsoft.ip4 |
|---|
| dhcp.microsoft.ip4 |
|---|
|
dhcp.microsoft.ip4Field in union table | Field in source table | Field transformation |
|---|
Data typeType | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
'dhcp.infoblox.ip4' |
| str
| | signature | - | | str
| | source_ip | srcIp | | str
| | source_ipv4 | source_ipv4 | | ip4
|
srcHost | srcHost| Code Block |
|---|
null('') | source_hostname | source_hostname | | str
|
destMac | - | srcMac | srcMac| Code Block |
|---|
null('') | destination_mac | destination_mac | | str
| | description | description | | str
|
leaseIpAddress | - | | Code Block |
|---|
null('')leaseHardwareAddress | - | lease_mac | lease_mac | | str
| | message | - | | str
| | rawSource | - | | str
| | rawTagged | rawTagged | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| dhcp.microsoft.ip6 |
|---|
| dhcp.microsoft.ip6 |
|---|
|
dhcp.microsoft.ip6Field in union table | Field in source table | Field transformation |
|---|
Data typeType | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
'dhcp.infoblox.ip6' |
| str
| | signature | - | | str
|
srcIp| Code Block |
|---|
ip4(srcIp6)| Code Block |
|---|
null('') | | str
| | source_ipv4 | source_ipv4 | | ip4
|
srcHost | - | srcMac | - | | source_hostname | source_hostname | | str
|
destMac | - | | str
| | Code Block |
|---|
null('')source_mac | source_mac | | str
| | destination_mac | destination_mac | | str
| | description | description | | str
|
leaseIpAddress | - | | Code Block |
|---|
null('')leaseHardwareAddress | - | lease_mac | lease_mac | | str
| | message | - | | str
| | rawSource | rawSource | | str
| | rawTagged | rawTagged | | str
| | rawMessage | rawSource | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| dhcp.unix.stdout |
|---|
| dhcp.unix.stdout |
|---|
|
dhcp.unix.stdoutField in union table | Field in source table | Field transformation |
|---|
Data typeType | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
'dhcp.unix.stdout' |
| str
| | signature | dhcpMessageType | | str
| | source_ip | - | | str
|
srcIp | source_ipv4 | source_ipv4 | | ip4
| | source_hostname | source_hostname | | str
| | source_mac | source_mac | | str
| | destination_mac | destination_mac | | str
| | description | - | |
(ip40.0.0.0'))ip4
| srcHost | str
| | lease_ip | lease_ip | | str
| | lease_mac | lease_mac | | str
| | message | - | | str
|
destMac | | rawSource | rawSource | | str
| | rawTagged | rawTagged | | str
| | rawMessage | rawSource | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| firewall.paloalto.system |
|---|
| firewall.paloalto.system |
|---|
|
firewall.paloalto.systemField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
null('firewall.paloalto.system' |
|
)srcMacdescription | -null(''leaseIpAddress | leaseIpAddress | | source_ipv4 | source_ipv4 | | ip4
| | source_hostname | source_hostname | | str
| | source_mac | source_mac | | str
| | destination_mac | destination_mac | | str
| | description | description | | str
| | lease_ip | lease_ip | | str
|
leaseHardwareAddress | leaseHardwareAddress | lease_mac | lease_mac | | str
| | message | - | | str
| | rawSource |
rawSource rawTagged | tag rawMessage | | Code Block |
|---|
tag + ": " + rawMessage |
| str
| | rawMessage |
rawSourcerawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
