I have a series of IP flows with an associated metric that I want to present as a line chart . The flows (SA, DA, SP, DP, AF) have been indexed & the addresses mapped the correct type ("IP").
I now want to visualize the average metric from each individual flow. I'm thinking a line chart with metric value on the Y-axis, date-time on the X-axis and each flow represented as separate line (maybe just the top 10 flows).
Whilst I can produce a single line representing the average over all flows and I can generate multiple lines using just the source-address, I can't figure out how to "bind" (?) the SA+DA+SP+DP values into a single line.
Didn't really understand what the originator was trying to do or the solution - I guess I'm still "challenged" when it comes to understanding the details of ELK!
I did try adding a filter (destination-address='192.168.254.254' and source-address='192.168.1.1') and that worked - I got a line representing the metric average for that flow. Except its all very manual and that's just one flow.
Its been suggested that the application that is injecting the records into logstash, should combine the addresses. That is rather than have separate IP source & destination fields, have a single (string) field that is "source-destination".
You can have a combined field representing the flow in addition to the separate source and destination IP fields as these may be useful for different types of analysis.
And you can create a scripted field in Kibana. It's a little bit of a performance hit compared to changing your logstash to create the combined field. But it's pretty quick and easy to combine 2 strings like that.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.