Hi,
I am trying to find a solution to this problem, and I can't seem to find the solution for quite some time. I am new to ELK, and I hoped someone can help me somehow.
Let's say I have an ELK which receives logs through filebeat from many sources. Among the sources, there are A and B. A has a field which is named LOGED_DNS, and B has a field which is named GOOD_DNS.
I want to be able to run a search/script/(something else) which would tell me if there are any LOGED_DNS from logs of source A which are the same as any GOOD_DNS of source B.
Example:
@timestamp: ... , ... , ... , source: A, LOGED_DNS: qwerty.com, ..., ...
@timestamp: ... , ... , ... , source: B, GOOD_DNS: qwerty.com, ..., ...
These should be searched/alarmed somehow.
I found many solutions on the web which consists of comparing fields of the same log, but not comparing between two different ones.
Thank you very much in advance.