Hi Kibana Experts!
I have a bunch of different log files that have the action (SRCH, RESULT, BIND) and user_name (Mike) in separate events from the events containing the server IP addresses they connect to. These different events are tied together by by the conn ID (example events below).
My question is - how can write a search that maps the user (Mike) to the servers they are attaching to (18.104.22.1681), without re-indexing/enriching the original log file?
[01/May/2015:20:39:01 -0400] conn=2693446 op=1 msgId=2 - SRCH base="ou=people,o=acme acme" scope=2 filter="(&(uid=Mike)(cn=*))" attrs="cn"
[01/May/2015:20:39:01 -0400] conn=2693446 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.000000 dn="cn=AcmeAuth,ou=ldapids,o=acme acme"
[01/May/2015:20:39:01 -0400] conn=2693446 op=-1 msgId=-1 - fd=266 slot=266 LDAP connection from 43.345.3.234:34952 to 22.214.171.1241