I am attempting to search across 3 different sources and provide events that occur on more than 1 source only. Meaning firewall1 and firewall2 saw events in say, the same 20 minute window...
I am able to do this with a huge "stats values" table output and "search where" after, however I feel that is terribly inefficient.
Looking for something to output either raw event logs or to a table is fine, stats with count, etc etc. I am open to suggestions.
Here is my basic thought for the search, attempting src+dst IP pairs as the unique identifier
source1 OR source2 OR source3 | transaction src,dst where source>1 maxspan=20m
You could use streamstats
to get a distinct count of sources for each transaction and then single out the transactions with more than one source using where
:
source="source1" OR source="source2" OR source="source3" | transaction src,dst maxspan=20m | streamstats window=1 dc(source) AS sourcecount | where sourcecount>1
You could use streamstats
to get a distinct count of sources for each transaction and then single out the transactions with more than one source using where
:
source="source1" OR source="source2" OR source="source3" | transaction src,dst maxspan=20m | streamstats window=1 dc(source) AS sourcecount | where sourcecount>1