Run Correlate
After you perform an Investigation, Log Miner, Tail, or Personal Dashboard search, you can use correlate to search those results. Correlate can narrow the original search results to display just the logs that match either a log from the original search or the values you set in the Quick Search toolbar. Because correlate only searches the logs returned in the original search, it is very efficient.
On the My LogRhythm menu, click My Preferences.
Set your Data Processor defaults.
If correlate returns the error message No log or event repositories were configured for the search, it means no Data Processor defaults are set in My Preferences.
- Generate initial search results from Investigator, Tail, Log Miner, or Personal Dashboard.
- (Optional) Set up criteria in the Quick Search toolbar. You can include the following Quick Search toolbar options in a correlation:
- In the past. Enter the number of minutes, hours, or days to use in the log data search.
- Include. Select the classifications to use as filters for the investigation.
- Options. Set values for:
- Type of investigation
- Use Investigation. Defaults to Data Processor. It can change to Platform Manager if you select Investigation Wizard.
- Use Log Miner. Uses LogMart.
- Query Platform Manager? Queries the Platform Manager in addition to the selection above.
- Query Default Data Processors? Queries the Data Processors set as defaults.
- Investigation Wizard. Opens before correlation starts so you can set additional criteria.
- Type of investigation
- Aggregate log settings. First Normal Date = 8:00 AM, Last Normal Date = 12:00 PM
- Quick Search Toolbar setting. In the past 1 hour
- Result. The Correlated search date range = 7:00 AM to 1:00 PM.
- Select a log from the initial search.
- Right-click the selected log, and then click Correlate.
- From the Correlate options, select the field that you want to match. The options include the following:
- All Fields. All fields with data will be used within the investigations filter.
- Select Field. Click the down-arrow and select from the drop-down list. Available options depend on the selected log.
- Field Combinations. The combination selected will be used within the investigations filter. For example, if User (Impacted) in User (Origin) is selected, the filter within the investigation will take the value that is in User (Impacted) within the record selected and use that value to filter the User (Origin) field regardless what is in the User (Origin) field for the record selected.
- FIM/DLD. Only available from non-aggregate/event lists within Investigator or DLD for Data Loss Defender and Tail. Only available for FIM/DLD logs – the log source is type FileMon for File Integrity Mon.