Hi,
I have the following two sources:
Source1:
| Time | IP | MAC |
| 08:01 | 10.0.1.1 | MAC1 |
| 08:02 | 10.0.1.2 | MAC2 |
......
| 08:31 | 10.0.1.1 | MAC1-1 |
......
| 09:01 | 10.0.1.1 | MAC1-2 |
| 09:02 | 10.0.1.2 | MAC2 |
| 09:03 | 10.0.1.3 | MAC3 |
Raw events for this source are generated constantly, and same IP might be associated with different MAC address over time.
Source2:
| Time | IP | Site | Used |
| 08:00 | 10.0.1.1 | Site1 | Used |
| 08:00 | 10.0.1.2 | Site2 | Unused |
......
| 08:29 | 10.0.1.1 | Site1 | Unused |
| 08:30 | 10.0.1.1 | Site1-1 | Unused |
......
| 09:00 | 10.0.1.1 | Site1 | Used |
| 09:00 | 10.0.1.2 | Site2 | Used |
......
| 09:10 | 10.0.1.3 | Site3 | Used |
Raw events for this source are also generated constantly, and independant from Source1.
The report I'm trying to build is to search over both sources and present combined results as below:
| Time | IP | MAC | Site | Used |
| 08:01 | 10.0.1.1 | MAC1 | Site1 | Used |
| 08:02 | 10.0.1.2 | MAC2 | Site2 | Unused |
......
| 08:31 | 10.0.1.1 | MAC1-1 | Site1-1 | Unused |
......
| 09:01 | 10.0.1.1 | MAC1-2 | Site1 | Used |
| 09:02 | 10.0.1.2 | MAC2 | Site2 | Used |
| 09:03 | 10.0.1.3 | MAC3 | NULL | NULL |
I.e., events from both sources are joined by the IP field, and the "Site" and "Used" values are based on the latest event in Source2 at that time for that specific IP.
Could anyone please shed some light on how to build such search? I assume I should use the transaction command but haven't figure out how to use it correctly.
Thanks.
... View more