Hi all,
We have events in a single index for flows into and out of a gateway, I’m trying to link an incoming event with the outgoing:
search 1:
index=vpc | where src=<gateway_out_ip> | table starttime, endtime, src, dest
search 2:
index=vpc | where dest=<gateway_in_ip> AND src=<server_ip> | table starttime, endtime, src, dest
The idea is to join search 1 to search 2 where the starttimes are within 3 seconds of each other, so I can see the dest in search 1 for the <server_ip> In search 2. I tried using transaction but there aren’t any common data between the two searches. I only want to include events from search 1 that have a corresponding (within 3 seconds) event in search 2.
Can anyone advise on the best way to do this?
Thanks
... View more