Correlation Bloks
For your forensic needs, you can search data using Correlation Bloks.
Correlation Bloks are created using Event Correlation Language Reference (ECL). You create a correlation Blok and use the Bloks on real-time data to set up triggers. The triggers are, in turn, configured to send alerts on the real-time data.
You can also use correlation Bloks in Advanced Search to search historical data and analyze the patterns in the data. When entering a Blok name in the Search field, start with the prefix correlation. for any existing correlation Blok. Content assist can help you by showing all possible values for that type of Blok. The correlation search results are displayed every time the rule's conditions are met. For more information, see Using Correlation Bloks in Advanced Search.
You cannot combine a correlation Blok with other Blok types in a single query. Only one correlation Blok can be used at a time in a query. In a correlation Blok query if there are more than one million events for the defined time duration, only the first one million events are processed for better performance. In such cases, it is a best practice to reduce the time duration to retrieve accurate results.
- The Blok name cannot contain a period (.).
- On the Advanced Search page, you cannot filter search results for Correlation Blok by clicking the timeline chart or using the chart time slider. This is because LogLogic LMI does not support adding filters and running subqueries on the search results for a Correlation Blok.