Field normalization and categorization at point of ingest on the roadmap?

Brass Contributor

Is data normalization/categorization on the roadmap? I want to be able to query across multiple tables for IP addresses. Currently, it appears that I have to know what various names of IP address fields across many different tables. Then if a table is added, I have to update my queries. Maybe that's supposed to be done through Alerts, but that seems pretty late in the event data processing pipeline. Am I overlooking something here? 


Please bear in mind that my perspective is heavily ArcSight-oriented. I tend to look at SIEM though that lens. 

1 Reply

The product group will have to say if normalization is on the cards, you can check the Tables, if you have a test IP address.  This will list the Table name & tables are added infrequently (generally) and you would have to adapt your query to JOIN / Union this new data.


search ""
| summarize count() by $table