Document toolboxDocument toolbox

fetchCorrelatedEvents

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
2 min read
[ 1 Operator Usage in Easy Mode ] [ 2 Usage Details ] [ 3 Example ]

Given a timestamp and +/- interval in minutes, pull the corresponding events from the given event types and put all the data into a new table.

Operator Usage in Easy Mode

  1. Click + on the parent node.

  2. Enter the Fetch Correlated Events operator in the search field and select the operator from the Results to open the operator form.

  3. In the Input Table drop-down, enter or select the table containing the data to run this operator on.

  4. In the Correlation Tables drop-down, enter or select a name or multiple names of the additional tables to correlate.

  5. In the Time Spread field, enter a range (+/-) of events from correlation tables to correlate to each event in the table name.

  6. In the Filter Expressions field, click Add More to add additional columns to join.

  7. In the Aggregators field, enter the column name to create based on all correlated events for a given event in the main table.

  8. Click Run to view the result.

  9. Click Save to add the operator to the playbook.

  10. Click Cancel to discard the operator form.

Usage Details

LQL Command

fetchCorrelatedEvents(inputTable, correlationTables, timeSpread, filterExpressions, aggregators)

Input

inputTable: Table containing the data for to run the operator.
correlationTables: Name of the additional tables to correlate.
timeSpread: Range (+/-) of events from correlation tables to correlate to each event in the table name.
filterExpressions: Additional join columns. For example, to correlate events from the first correlation table if the time range matches and its correlated_table.server_name matches the main_table.server column, add correlated_table.server_name = main_table.server as the first entry. There must be one expression for each correlation table.
aggregators: Additional columns to create based on all correlated events for a given event in the main table.

Output

Given a timestamp and +/- interval in minutes, pull the corresponding events from given event types and put all that data into a new table.

Example

LQL command

fetchCorrelatedEvents( dt_lsof, [ dt_pan_thread ], "5 s", [ "dt_lsof.date_mday = dt_pan_thread.date_mday" ], [ "max(dt_pan_thread.signature_id) as m"])