Definitely a noob, and I must be missing something simple...
I have two log files reporting the same error at similar times. I am trying to correlate the two. LDAP authentication failure from both the LDAP server log and the application log.
Using:
| multisearch [search index=1 "222"] [search index=2 "222"]
returns the desired results, but I would like to filter the results down to those where I have a match in both searches based on the timestamp. For instance, if there are 10 events returned from the first search and 1 returned from the second I would like to show just those two based on a matching timestamp (or bucket if need be.)
Try this. It will return events where two or more fall in the same 1-minute bucket. Adjust the bucket size as necessary to reduce the likelihood of two events from the same index.
(index=index1 "222") OR (index=index2 "222") | bucket span=1m _time
| stats count, list(*) as * by _time
| where count > 1
| fields - count
Try this. It will return events where two or more fall in the same 1-minute bucket. Adjust the bucket size as necessary to reduce the likelihood of two events from the same index.
(index=index1 "222") OR (index=index2 "222") | bucket span=1m _time
| stats count, list(*) as * by _time
| where count > 1
| fields - count
Oh so close! This does exactly what you have described. However, when I try to view the events I only get to see one of the two. Is there a way that I can see them both?
Try the updated query.
The updated query does give me what I was looking for. A million thanks!