Extra not composed fields in subquery in Lab_14_-_Correlation_using_Subqueries example.

Follow

Michael Freidgeim

• August 01, 2021 03:34

In documentation https://help.sumologic.com/01Start-Here/Quick-Start-Tutorials/Hands-on_Labs02%3A_Security_Analytics/14Lab_14_-_Correlation_using_Subqueries

subquery parses 4 fields, but  compose only 1 src_ip.

| parse "{TCP} *:* -> *:*" as src_ip, src_port, dest_ip, dest_port nodrop

| compose src_ip

How other 3 are used/exposed?

Or they redundant and can be removed from subquery?

0

• 

  Shobhit Garg

  • August 02, 2021 08:54

  Hi Michael,

  The remaining 3 fields src_port, dest_ip and dest_port will not be used any where, they are parsed just to make extraction of src_ip easy.

  Here subquery is used under search expression. Check below doc

  https://help.sumologic.com/05Search/Subqueries#syntax

  Hope this helps.

  0

  Comment actions Permalink
• 

  Michael Freidgeim

  • August 02, 2021 21:45

  How non used fields make extraction of src_ip easy?

  Imho keeping them make the example confusing.

  0

  Comment actions Permalink

Please sign in to leave a comment.