Query Details
Meraki Parser
Query
//Available columns: ['host','devicename','type','hostname','src_ip','log_type','contents','dst_ip','src_port','dst_port','protocol','mac_address','request_type','uri','translated_src_ip','translated_dst_ip','pattern','translated_port','agent','message','@timestamp'] Cisco_Meraki_CL | where TimeGenerated > ago(10d) | extend ParseFields = split(RawData, ' ') | extend EventMonth = tostring(ParseFields[0]) | extend EventDay = tostring(ParseFields[1]) | extend Time = tostring(ParseFields[2]) | extend DeviceIP = tostring(ParseFields[3]) | extend Fluff_1 = tostring(ParseFields[4]) | extend Addr = tostring(ParseFields[5]) | extend Server = tostring(ParseFields[6]) | extend Method = tostring(ParseFields[7]) | extend Source = tostring(ParseFields[8]) | extend Destination = tostring(ParseFields[9]) | extend MAC = tostring(ParseFields[10]) | extend Protocol = tostring(ParseFields[11]) | extend S_Port = tostring(ParseFields[12]) | extend D_Port = tostring(ParseFields[13]) | extend Fluff_2 = tostring(ParseFields[14]) | extend Pattern = tostring(ParseFields[15])
Explanation
This query is extracting specific fields from the Cisco Meraki logs and assigning them to new columns. It is splitting the RawData field into individual elements and then assigning each element to a new column. The extracted fields include EventMonth, EventDay, Time, DeviceIP, Fluff_1, Addr, Server, Method, Source, Destination, MAC, Protocol, S_Port, D_Port, Fluff_2, and Pattern.
Details
Rod Trent
Released: November 4, 2020
Tables
Cisco_Meraki_CL
Keywords
Devices,Intune,User
Operators
where>agoextendsplittostring