Document toolboxDocument toolbox

Cross-search table join

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 16, 2023 by Former user (Deleted)
3 min read
[ 1 Overview ] [ 2 What data do I need for this widget? ] [ 3 Creating a Cross-Search Table Join ] [ 4 Query example ]

Overview

Use this option to combine and compare the data from two or more separate tables that share a common field.

What data do I need for this widget?

In order to generate the cross-search table join, you need to run at least two queries with at least three columns, one of them numerical and one of them in common. Furthermore, those queries need to have the data grouped for the diagram to show meaningful data.

Creating a Cross-Search Table Join

Query example

You can use the following queries to recreate the example shown in the images above:

from siem.logtrust.web.activity group every 5m by responseLength, username, correlationId every 5m select count() as count
from siem.logtrust.web.navigation group every 5m by userEmail, action, srcPort every 5m select count() as count