Compare two fields

Gal_Segal · May 14, 2021, 10:25pm

Hi,

I am new to elastic and was hoping you can help me.
I am using elastic to collect logs from both packetbeat to my 'packetbeat' index, and filebeat to my 'filebeat' index.
I have an IP field in both of the indexes and I would like to trigger an alert if there's a match (if IP from packetbeat index log appears in IP field of filebeat index log)

for example:

"_index": "packetbeat-7.12.1-2021.05.14-000001",
"_type": "_doc",
"fields": {
"source.ip": [
"192.168.0.100"
],}

and

"_index": "filebeat-7.12.1-2021.05.14-000001",
"_type": "_doc",
"fields": {
"recipientIP": [
"192.168.0.100"
],}

since source.ip = recipientIP -> trigger an alert.

What is the method of doing so?
I am using managed version of elastic stack (cloud) and using the web console to perform the alerts (not python or anything like that)

Thank you in advance

Christian_Dahlqvist · May 15, 2021, 10:41am

In a relational database this would be a join, which is something Elasticsearch does not support as it scales badly in distributed systems with large amounts of data. You might be able to create a separate index using a transform where you have a document per IP address and record which stream it has been seen in. This would allow you to query this index directly which would be easier and faster.

system · June 12, 2021, 10:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.