I have a group of events which has the sourcetype "users"
The events within sourcetype=users contain the format:
username
field2
field3
group_access: "group1, group2, group3, groupX"
field5...
I also have logs within the same index which group together under the sourcetype=hosts
...
The events within sourcetype=hosts contain the format:
hostname
field2
field3
group_access: "group1, group2"
field5...
...
I want to correlate users with access to certain groups to hosts which have common group assignment. For example using the events below
user1
field2
field3
group_access: "group1, group3,"
field5...
host1
field2
field3
group_access: "group2"
field5...
host2
field2
field3
group_access: "group1, group3"
field5...
host3
field2
field3
group_access: "group1, group2"
field5...
I want to show that user 1 has access to host 2 and host 3 by correlation of the group_access. How can i create a query which accomplishes this and expresses it in a table
... View more