How can I take an event with a given key(a)/value(b) pair and find the temporally nearest event with key(c)/value(d)? I thought transaction would be the way to go, but I've used it enough to know that I must not know what I need to know about it, if that's my best avenue.
The idea is that given an event:
Oct 26, 2032 src_ip=132.32.23.4 proto=udp
How can I find the very next event (only) containing
Oct 26, 2032 src_ip=132.32.23.4 rectype=tcpsession
OR
the nearest previous recent event (only) containing
Oct 26, 2032 src_ip=132.32.23.4 rectype=ipflow
OR better yet, both.
For me, the transaction would be:
search index=whatevs | transaction src_ip | search (rectype=tcpsession) (rectype=ipflow)
But this, even if given a maxspan, seems to often return an event set that while matches, doesn't necessarily limit the results or stick to my specified maxspan.
Any takers?
I'll buy you a pony.... Thanks
-s
Have you tried using startswith/endswith?
index=whatevs | transaction src_ip startswith=("rectype=ipflow") endswith=("rectype=tcpsession")
Does that get you any closer?
Have you tried using startswith/endswith?
index=whatevs | transaction src_ip startswith=("rectype=ipflow") endswith=("rectype=tcpsession")
Does that get you any closer?
I come here before I go to documentation, apparently. I'm lonely.