Correlation Criteria

Correlation criteria can be of the following types:

  • A join condition describing which fields should be equals in two event groups
  • A sequencing constraint that describes the relative order in which two event groups should occurs
  • An expression criteria that describes a condition among fields of different event groups 
    <event_group_identifier1> -> <field_identifier1> == <event_group_identifier2> -> <field_identifier2> <event_group_identifier1> (Begins | Ends) [At Least <integer> [ d | h | m | s ]] [Up To <integer> [ d |h | m | s ]] (Before | After) <event_group_identifier2> (Begins|Ends)

This is an expression criteria that is used to describe a condition between fields that belongs to different event groups. 

<expression which uses syntax eventGroupIdentifier -> fieldIdentifier for keys>

For example, group1->sum_bytes >= group2->sum_bytes

Note: The fields referenced in a join must be grouping fields for their respective event groups.