Hi,
I have first sourcetype=st1
with information about changes on users. I want to get a particular set of users (their last changes) with:
index=A sourcetype="st1" COLUMN="SOMETHING" | table col1 col2 col3 col4
in sourcetype="st2"
I have columns col1 col2 col3 col4 col5. Columns col1 col2 col3 col4 are "key" to finding specific users (both in st1 and st2).
I want to create an alert (either realtime or cron based) that will get a subset (list of col1 col2 col3 col4 ) from first sourcetype, and then alert when in second sourcetype happens alert that has "col1 col2 col3 col4" combination that exist in subset form first search
e.g.
st1
col1 col2 col3 col4
0 0 0 1
5 9 3 6
2 9 19 0
st2
col1 col2 col3 col4
0 0 0 2
0 0 0 2
0 0 0 2
0 0 0 2
0 0 0 1
5 9 3 6
Alert would be sent when 0 0 0 1
and 5 9 3 6
occurred in st2 sourcetype.
What is the best approach to this problem (performance wise) and how to "join" those two searches?
Subset from first sourcetype can have a few thousand events and more than a year between first and last events.
Try something like this
index=A sourcetype="st2" [search index=A sourcetype="st1" COLUMN="SOMETHING" | table col1 col2 col3 col4] | table col1 col2 col3 col4 col5
Set alert condition when number of result of above search is greater than 0
Try something like this
index=A sourcetype="st2" [search index=A sourcetype="st1" COLUMN="SOMETHING" | table col1 col2 col3 col4] | table col1 col2 col3 col4 col5
Set alert condition when number of result of above search is greater than 0
This helped alot. I've expanded your search with join.
thx
Do both log source types use the same log format?
Thanks,
Lp
nope, they are genreated form different services, they just have sam "key" in form of 4 columns