Using subsearches to find loosely related events
The number of use cases for subsearches in the real world might be small, but for those situations where they can be applied, subsearches can be a magic bullet. Let's look at an example and then talk about some rules.
Subsearch
Let's start with these events:
2012-04-20 13:07:03 msgid=123456 from=mary@companyx.com 2012-04-20 13:07:04 msgid=654321 from=bobby@companyx.com 2012-04-20 13:07:05 msgid=123456 to=bob@vendor1.co.uk 2012-04-20 13:07:06 msgid=234567 from=mary@companyx.com 2012-04-20 13:07:07 msgid=234567 to=larry@vender3.org 2012-04-20 13:07:08 msgid=654321 to=bob@vendor2.co.uk
From these events, let's find out who mary has sent messages to. In these events, we see that the from and to values are in different entries. We could use stats to pull these events together, and then filter the resulting rows, like this:
sourcetype=mail to OR from | stats values(from) as from values(to) as to by msgid | search from=mary@companyx.com
The problem...
