I'm currently developing a script which ingests documents to a Elasticsearch index which contains data from a network discovery
{
"_index": "device_discovery",
"_type": "_doc",
"_id": "YAySBnwBWvky_R2ePp1X",
"_score": 1,
"_source": {
"datetime": "2021-08-24 04:13:50",
"run_id": "20210921",
"ip_addr": "10.0.0.1",
"dns": [
"name.domain.com"
],
"red_addr": 10.0.0.0",
"red_addr_cidr": "10.0.0.0/8",
"type": "device_discovery",
"source_server": "10.1.0.1",
"segmento_name": "Testing"
},
"fields": {
"datetime": [
"2021-08-24T04:13:50.000Z"
],
"run_id": [
"20210921"
],
"source_server": [
"10.1.0.1"
],
"red_addr": [
"10.0.0.0"
],
"dns": [
"name.domain.com"
],
"segmento_name": [
"Testing"
],
"type": [
"device_discovery"
],
"ip_addr": [
"10.0.01"
],
"red_addr_cidr": [
"10.0.0.0/8"
]
}
}
That document basically says "This IP is alive", the script will run each week discovering devices and loading them in the index. What I'm trying to achieve is to visualize somehow the difference each week, lets say, today I run the script and the IP 10.0.0.2 doesn't answer my ping and is not loaded in the index, but others will and that timestamp will have records (I plan to run it each Friday). Next week I run the script and said IP answers, so it's loaded in the index, what I want to see is that difference "this new IP wasn't here last week but now it is". That's my primary objective, but other use cases include seeing if their DNS changes from one scan to another.
I'm open to make any changes to the index pattern, include or take out fields to make it work.