Creating aggregate "top 10 IPs" table with geoip data

Hello there!

I am migrating from Sumo Logic to ELK and I am struggling creating the same or similar panels for a dashboard I am working on.

I am analyzing firewall logs and would like to create a table of the top ten blocked IP addresses and their occurrence count. I figured out how to do that using a Data Table visualization. However, I am struggling to add additional columns for context like I was able to do in Sumo Logic. E.g. I want to add columns for country and city based on geoip (all my events have geoip fields through the geoip plugin and of course each aggregate row has the same geoip info since my aggregation is based upon the IP address field) but I can't seem to find a way to build anything like it.

ELK and Sumo Logic work very differently and I am new to ELK. I welcome any advice you might have.

For your reference, I attached a screenshot of my Sumo Logic dashboard panel that I am trying to emulate in Kibana.

Thank you all!

Cheers.
Volker

Roughly 10 minutes after my initial post I figured it out...

I was able to add additional columns by adding additional metrics using the "Top Hits" aggregator:

Screen Shot 2019-01-01 at 12.11.45 AM.png402×512 25.3 KB

That way I was able to generate the following table, which is very close to what I had in Sumo Logic:

Maybe this helps someone else.

Thank y'all & happy New Year!

Cheers.
Volker

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.