![]() ![]() ![]() Sometimes, there is no single command that you can use. Depending on your search criteria and how you want to define your groupings, you may be able to use a search command, such as append, associate, contingency, join, or stats. ![]() You can also use field lookups and other features of the search language. Use transactions to identify and group related events.Use time to identify relations between events.This chapter discusses three methods for correlating or grouping events: Use SQL-like inner and outer joins to link two completely different data sets together based on one or more common fields.Correlate your data to external sources with lookups.Create conditional searches, where you see the results of a search only if the sub-search meets certain thresholds. Use a sub-search to take the results of one search and use them in another.Identify the amount of time it took to complete the transaction and the number of events within a single transaction. Track a series of related events, which may come from separate IT systems and data sources, together as a single transaction.Use this correlation in any security or operations investigation, where you might need to see all or any subset of events that take place over a given time period or location. Identify relationships based on the time proximity or geographic location of the events.Splunk software supports event correlations using time and geographic location, transactions, sub-searches, field lookups, and joins. Event correlation is finding relationships between seemingly unrelated events in data from multiple sources to answer questions like, "how far apart in time did a specific set of events occur?" or "what's the total amount of time it took for a transaction to complete?" ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |