Hello all.
I’m a beginner so start with a very simple question about searching.
A customer of mine is running an ELK solution to collect Netflow packets coming from Cisco devices.
I try to search using the CURL tool from a Windows box to the remote system. I need to extract flows where an IP address is source or destination but I’m unable to create a correct boolean search starting from an example on documentation (Elasticsearch 2.2).
This makes me crazy!
Thanks for understanding.
Andrea
If you show us what you have so far it'll be easier to help.
Good morning Magnus.
I believe I need to create a URI search.
I need to select all packets where a specific IP is source or destination address starting from this basic working search
curl 'http://localhost:9200/logstash_netflow5-*/_search?q=netflow.ipv4_dst_addr:10.0.0.2&pretty=true'
Thanks.
Okay. And in what way doesn't this work? Do you get too many documents? Or too few?
This is an example. I need to create a query with a boolean OR.
netflow.ipv4_dst_addr:10.0.0.2 OR netflow.ipv4_src_addr:10.0.0.2
I repeat: What doesn't work? Do you get too many documents? Or too few?
I'm not able to create the correct query Magnus.
Solved. Simply use the Boolean operator OR.
Thanks for help.