Using Correlation Bloks in Advanced Search

You can use correlation Bloks in Advanced Search to search historical data and analyze the patterns in the data.

    Procedure
  1. Click next to the Search field, click Choose Blok, and then select the correlation Blok from the list.
  2. Enter the time period in the Time field and click Run.
    Note: For valid time expressions, see Time Range Expressions. If you enter an invalid value in the Time field, the range 1970-2070 is used.
    The correlation results display all events that contributed to the triggering of the correlation rule. Based on the correlation rule, the columns (correlation events and event groups) are extracted in a table format. Each row helps you analyze the associated values of the columns and event groups. If you refresh the search tab by clicking Search > Advanced Search or refresh the browser, the search tab closes.

    The following illustration displays the defined correlation rule in the Search field and retrieved events in the Timeline Charts, Columns, and Data panels. When you use Correlation Bloks in advanced search, hovering your mouse over any part of the chart displays the number of correlation events instead of the message count.

    Correlation Rule and Timeline Charts
  3. Click the event count link to view the event details on a new Search tab.
    Note: The event count link is available only when the count is less than 1024.

    Click the event count link (22 in the illustration), and the new search tab opens with the auto-generated EQL query in the Search field for the events associated with that event count. The Timeline Charts, Columns, and Data panels display the results associated for that event count as shown in the following illustration.