I have these three different searches:
Is it even possible to have another search that will know when a specific user has done all of the things above?
I want to be able to know when user1 does ALL of the following items within a 24 hour period: user1 creates user2, user1 adds user2 to a group, user1 switches accounts to become user2.
Since I have those individual searches already, how can I have something else that knows when all three cases have been met by user1?? Like a separate panel on my dashboard that can indicate when all three cases are met. This way I don't have to look through all three panels to see if user1 has done all three things.
easy peasy ...
multisearch
[ Your search that finds user1 creating user2 | table _time user1 user2 | eval rectype="create"]
[ Your search that finds user1 adding user2 to group2 | table _time user1 user2 group2 | eval rectype="group"]
[ Your search that finds user1 becoming user2 | table _time user1 user2 | eval rectype= "switch"]
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3
Note that to use multisearch
, all of the individual commands use to find the various records must be distributed streaming type commands. If you must use any commands that cannot be distributed, then you need to do something like
( Your search that finds user1 creating user2 ) OR
(Your search that finds user1 adding user2 to group2) OR
(Your search that finds user1 becoming user2)
| eval rectype=case(something that figures out search 1, "create",
something that figures out group 2, "group",
something that figures out group 3, "switch",
true(), "booboo")
| eval user1=coalesce(fieldfrom group1, field from group2, field from group3)
| eval user2=coalesce(fieldfrom group1, field from group2, field from group3)
| eval group2=(field from group2)
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3 OR rectype="booboo"
easy peasy ...
multisearch
[ Your search that finds user1 creating user2 | table _time user1 user2 | eval rectype="create"]
[ Your search that finds user1 adding user2 to group2 | table _time user1 user2 group2 | eval rectype="group"]
[ Your search that finds user1 becoming user2 | table _time user1 user2 | eval rectype= "switch"]
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3
Note that to use multisearch
, all of the individual commands use to find the various records must be distributed streaming type commands. If you must use any commands that cannot be distributed, then you need to do something like
( Your search that finds user1 creating user2 ) OR
(Your search that finds user1 adding user2 to group2) OR
(Your search that finds user1 becoming user2)
| eval rectype=case(something that figures out search 1, "create",
something that figures out group 2, "group",
something that figures out group 3, "switch",
true(), "booboo")
| eval user1=coalesce(fieldfrom group1, field from group2, field from group3)
| eval user2=coalesce(fieldfrom group1, field from group2, field from group3)
| eval group2=(field from group2)
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3 OR rectype="booboo"
Is it possible to do something like that, yes. Can it be done for your use-case, can't say unless you share more details about all three individual searches, available fields (at least common fields) etc.