Hi, is there a "standard" way of correlating data from different sources? For example, I have a metadata source and an event source. The metadata source has data such as "ServiceName" or "Location", and an IP address. The event source are logs which have a host, and I would like to get some aggregation data based on the metadata source...
meta:
`ipaddress=1.2.3.4,location=xyz,service=foo`
event:
`host=1.2.3.4,loglevel=WARN,message="something"`
If i wanted to get chart the count of different log levels by location, what would the best approach be? have tried sub-searches but that works for filtering, would i need some sort of dynamic lookup?
↧
