I am trying to group three sets of indexes' logs when all three have the same source and destination IP address within a minute of each other. My initial thought was to use
transaction, but ran into a problem because the source IP in index-A is called 'dvcip'. Is there a way to have transaction see the dvcip value of Index-A and match that with src_ip value of Index B & C?
Ultimately, I'd like to join these logs together to then create a table (username, hostip, srcip, dest_ip, website, category, referrer).
Log Field Setup
Index-A host_ip dvc_ip dest_ip Index-B src_ip dest_ip website referrer Index-C src_ip dest_ip website category username // dvc_ip and src_ip are the same value, just named differently. Indices B/C do not have the host_ip.
Index-A 192.168.0.100 18.104.22.168 22.214.171.124 Index-B 126.96.36.199 188.8.131.52 amazon.com google.com Index-C 184.108.40.206 220.127.116.11 amazon.com shopping jsmith
Why don't you use an alias to name your source ip with the same name across all your three indexes?
index=Index-A OR index=Index-B OR index=Index-C | eval source_ip = coalesce(dvc_ip, src_ip) | transaction source_ip, dest_ip BLA BLA BLA
By the way, transaction might not be accurate enough for what you are trying to achieve unless you can easily specify your startWith event and your endWith event.
I did not know about using an alias. The time between the three logs are all within a 1-minute span. Trying alias now.