Cross-Search Table Join


Use this option to combine the data from two separate tables that share a common field. In order to generate the cross-search table join, the queries must be open in Devo. 

Creating the Cross-Search Table Join

Here we describe how to create this chart using an example, with the country column as the common field and using the eventdate column as the comparison criteria.

  1. Go to Data Search and open the following two queries:

    Apache query Fortinet query
    from web.apache.accessLt
    group every 30m by country, statusCode
    every 1h
    select count() as count
    from firewall.fortinet.traffic.forward
    select mmcountry(srcIp) as country
    group every 30m by country, protoStr
    every 1h
    where isnotnull(country)
    select count() as count
  2. With the Fortinet query open, select Additional tools → Graphical Correlation → Cross-search Table Join from the query toolbar.  The Cross-Search Table Join window appears
  3. Click the <> symbol to add the variables for a second table. 

  4. Click and drag the columns from the firewall query to the corresponding variables as follows:
    • eventdate → Source
    • nodecount → Link weight
    • country → Target node
    • protostr → Extra values (optional)

  5. Select the Apache query in the navigation panel to switch to the second query. Now, click and drag the columns from the web server query to the corresponding variables as follows:  
    • country  Source node
    • count Link weight
    • eventdate → Target node
    • status code → Extra values (optional)

  6. The new table appears.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.