You should read this post first then check on the difference in the query from this post.
The major change below is that unrated websites are now classified as UNRATED. I should have caught this when I was writing the original post but in my testing I did not have many of the unrated items showing up and it didn’t show up on my radar.
_index=security_logs _sourceCategory=fw_security "subtype=webfilter" | parse " catdesc=\"*\"" as category nodrop | parse " error=\"*\"" as error nodrop | keyvalue regex "=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) " keys "srcip" | keyvalue regex "=(\d+) " keys "sentbyte", "rcvdbyte" // Line below does the work | if (error matches "unknown", "UNRATED", category) as category | sentbyte+rcvdbyte as bytes | sum(bytes) as bytes by category | where bytes >=500 | sort by bytes | limit 20