i have two sources/streams and i wonder, if it’s possible to search similar to sql-Subqueries.
One source/stream comes from a reverse proxy and contains prevented attack attempts. The other source/stream are apache-accesslogs. Now I would like to see all apache-requests of the attackers, which could not be prevented.
In mysql it would be something like that:
select * from sourceA where sourceA.IP in (select IP from sourceB)
Or if i separated the messages by source:
select * from streamA where streamA.IP in (select IP from streamB)
The (fantasy) search-syntax could be something like that:
source:apache.accesslog AND IP:(IP[source:attackers])
source:apache.accesslog AND IP:(IP[stream:12312388])
Is there something like that in graylog?