Cross-Search Graph Diagram
You can combine data from two or more different queries and create a diagram displaying the resulting relationships.
Creating a Cross-Search Graph Diagram
Here we describe how to create this chart using an example. We will use the data in the
siem.logtrust.web.activity tables. We will link the tables through the scrip field in the
auth.unix table and the srchost field in the
- Go to Data Search and open both tables.
- With the
auth.unixtable open, select Additional tools → Graphical Correlation → Cross-search Graph Diagram.
- Click and drag the action, user, and srcip column headers to the workspace window.
siem.logtrust.web.activityin the navigation pane to switch to the second table. Click and drag the srcHost and url columns to the workspace window.
- Create the join between the srcip and srcHost fields by selecting the first one, then click and drag the handle to the other field in the workspace. The new link appears as a discontinous line and their types are matched.
- Click Apply. The cross-search graph correlating the information from both tables is displayed.
The Cross-Search Graph Diagram works exactly the same as the Graph diagram. To learn more about building and getting the most out of your Cross-Search Graph diagrams, go to Graph diagram.
Save your Cross-Search Graph Diagram
Select the save icon at the top right corner of the graph window to reaccess it anytime. You can access your saved cross search graph diagrams for further analysis going to Data Search and selecting the Saved Widgets tab.
Find the necessary chart using the search box and select its thumbail to open it on the query window. You can also display the saved charts as a list selecting the table icon in the Mode section. To delete a chart, click the X icon next to it.
The server icons next to the graph name indicate the number of queries used in the correlation. Hover over them to see the name of the data table.