Complex searching with subquery-functionality?


(Michael Ancutici) #1

Hi there,

i have two sources/streams and i wonder, if it’s possible to search similar to sql-Subqueries.

For example:
One source/stream comes from a reverse proxy and contains prevented attack attempts. The other source/stream are apache-accesslogs. Now I would like to see all apache-requests of the attackers, which could not be prevented.

In mysql it would be something like that:
select * from sourceA where sourceA.IP in (select IP from sourceB)

Or if i separated the messages by source:
select * from streamA where streamA.IP in (select IP from streamB)

The (fantasy) search-syntax could be something like that:
source:apache.accesslog AND IP:(IP[source:attackers])
source:apache.accesslog AND IP:(IP[stream:12312388])

Is there something like that in graylog?

Thanks, Michael.


(Jochen) #2

No, that’s not possible.


(Michael Ancutici) #3

thank you for this clear answer. Then it’s not necessary to research further.