I want to correlate data between logs collected from 2 different sources and I want to alert when a condition is met. How can I create a search for this. Example:
Source 1 log output is: source1_ipaddress visiting_particular_url
Source 2 log output is: source2_ipaddress hostname username
I want to send email alert containing "username" from Source 2 whenever Source 1 logs the event AND source1_ipaddress=source2_ipaddress.
How can I do this? Will appreciate your response. Thanks.
I am also interested in doing something similar - I am particularly concerned with correlating an alert based off of 2 performance counters. For example: we would like to watch % processor time and available mbytes - should both breach certain conditions then send an alert to me.
Any help would be appreciated.
Its easy, index=blah counter=% processor time| eval CPU_Usage=value|join host[search index=blah counter=% available mbytes|eval Mem_Usage=value]| table host,CPU_Usage,Mem_Usage| where Condition|eval Status=if(CPU_Usage>50 AND Mem_Usage>(any value),"Warning","Critical")
Same goes for the above question.