Is there a way to correlate two or more events which share the same cs_uri and referer and occurring within a specified window of time?
For example,
event 1: referer = A cs_uri = B
event 2: referer = B cs_uri = C
event 3: referer = C cs_uri = D
resulting in...
meta-event 1: referer = A
cs_uri/referer = B
cs_uri/referer = C
cs_uri = D
I would first create a field alias in props.conf
[your_sourcetype]
FIELDALIAS-referer = cs_uri AS referer
Then in your search:
sourcetype=your_sourcetype | transaction referer maxspan=1m | do_stuff
So this is assigning the value of cs_uri to referer and doing a transaction to get the events with same referer.