I am looking to correlate events from two different sources whereby a rare event in source A, (in a 1 hour window) searches for events in source B (in the same 1 hour window)
These are mobile phone records, and source A lists the Phone Numbers I want to seach for in the CDR logs (source B).
This is what I have so far:
eventtype=phone_logs flagged=true |bucket _time span=1h|stats dc(phone_log_cli) by _time phone_log_cli |join max=0 phone_log_cli[search sourcetype=cdr SCRIPT_RES="d*" BDA="*" BDUR>5]|dedup ID|eval AOA2=substr(AOA,1, 4)+"xxxxxx"| eval BDA2=substr(BDA,1,6)+"xxxxxxxx"| eval CallTime=ACONDATE|rename SCRIPT_RES as "CallType" |table _time CallTime AOA2 BDA2 BDUR BREASON customer country Network CallType
This returns bucket windows for source A, but as the search runs it populates the first bucket where a cli appears with ALL the CDR records of the same device.
That is to say (over a 4 hour search window 08:00-12:00), if a phone made 1 call an hour in each of the 4 hours, then all 4 calls show up in the 08:00 result set.
I want to run this query over 30 days, and at the moment, every call gets returned in the first window in which its CLI was flagged in source A.
How can I restrict the 'join search' to only search within the same time window as the bucket from first search?
I have looked at localize - map, but this seems problematic also.
... View more