Help with SQL Expression possibilities :) #229
Description
I need assistance with an expression for syslog. I have firewall syslog messages example:
Teardown TCP connection 1067175433 for inside:10.1.5.21/60506 to outside:35.184.35.160/443 duration 0:01:27 bytes 18844 TCP FINs from outside
The objective is to alert on bytes > 200000000 or some threshold.
This doesn't work but shows the spirit of the task anyway
select * from syslog.syslog_incoming where host = 'FTD-Primary' and message like '%bytes > 200000000%';
Is there a way to do this without the # being in a column of its own?