ECS and normalizing queries across indexes


#1

Elasticsearch 6.3.2

Elastic Common Schema notes:

A common schema helps you correlate data from sources like logs and metrics or IT operations analytics and security analytics.

Assuming a case where a common schema is used to normalize field names across a broadly disparate set of indices for log data, and wanting to run queries which correlate events based on a common field name in several of these unrelated indices at once, how can that be done?

For example: a query designed to match events where the same user.name was logged in an index containing proxy server logs as the authenticated user and an index containing antivirus or similar endpoint logs where the user executed a malicious file within the same period of time. Looking at approaches like these joins it seems like the intention is correlating documents within the same index.


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.