Cross-Search Graph Diagram
You can combine data from two or more different queries and create a cross-search graph diagram displaying the resulting relationships.
Creating a Cross-Search Graph Diagram
Here we describe how to create this chart using an example. We will use the
siem.logtrust.web.activityAll tables. We will link the tables through the scrip field in the auth.unix table and the srchost field in the
- Go to Data Search and open both queries.
- With the
auth.unixtable open, select Additional tools → Graphical Correlation → Cross-search Graph Diagram.
- Click and drag the action, user, and srcip column headers to the workspace window.
- Select the
siem.logtrust.web.activityAllin the navigation pane to switch to the second query. Click and drag the srchost and url columns to the workspace window.
- Create the join between the srcip and srchost fields by selecting one of them, then click and drag the handle to the other field in the workspace. The new link appears as a discontinous line and the types are matched.
Click Apply. The cross-search graph correlating the information from both tables is displayed.
You can deactivate the Inner joins option (activated by default) to show all the data from the selected columns, including those values that do not have a corresponding one in the other table (outer joins).
Select the save icon.
You can access your saved cross-search graph diagrams for further analysis going to Data Search and selecting the Saved Widgets tab.
Find the necessary chart using the search box and select its thumbail to open it on the query window. You can also display the saved charts as a list selecting the table icon in the Mode section. To delete a chart, click the X icon next to it.
The server icons next to the graph name indicate the number of queries used in the correlation. Hover over them to see the name of the data table.