Correlation between 3 sources with 2 IDs

jsp · ‎06-18-2013

I have 3 sourcetypes, and am trying to correlate them based off of 2 IDs. Here is an oversimplified example of the data and what I am trying to achive:

index=books sourcetype=titles
fields: title   title_id    queue_id

index=books sourcetype=authors
fields: author  title_id

index=books sourcetype=locations
fields: location    queue_id

What is the easiest way to get title, author, location, title_id, queue_id in one row of results, based on a search for a title?

alacercogitatus · ‎06-18-2013

index=books sourcetype=titles title=TITLE | join type=outer title_id [search index=books sourcetype=authors ]|join type=outer queue_id [search index=books sourcetype=locations]| stats count by title author location title_id queue_id

Should get you started. join's are a little ineffective, but if you make them static lookups, they would run faster.

Correlation between 3 sources with 2 IDs

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk