Custom filter based on a field range

datawrangler · July 16, 2019, 2:11pm

Hello All,
In the Discover Panel, to view all traffic a specific subnet is genrated you can do a filter such as:

source.ip: 10.0.1.0/24
source.ip: 10.0.2.0/24
source.ip: 10.0.3.0/24

Is there a way to create a user-friendly Kibana [ a dropdown seems to be optimal] with those filter values?
Secondarily, is there a way to also label the dropdown so that the filter values are more human-readable?
So,
source.ip: 10.0.1.0/24 ==> Public Network
source.ip: 10.0.2.0/24 ==> DMZ Network
source.ip: 10.0.3.0/24 ==> Private Network

IF, this is not possible what are some of my alternatives to having a custom filter which is user-friendly for IP address based on subnet I define?
Note that I say range because "source.ip > 10.0.1.0 AND source.ip <10.0.1.255" is a viable filter for me.

I'm using version 7.2.

Thank you in advance, Regards!!

Marius_Dragomir · July 18, 2019, 1:11pm

The filter editor would be your best bet. Just have a filter for each of them and enable/disable them by your needs.

datawrangler · July 22, 2019, 4:27pm

Hello Marius, thank you for responding!
Do you mean creating a custom filter and saving it as part of the dashboard? (see image):

So, there isn't a way to have a dropdown-type of filter?

Marius_Dragomir · July 23, 2019, 1:17pm

There is the Input Control visualization, but it's marked as experimental. You can try it and see if it fits your needs.

datawrangler · August 7, 2019, 5:31pm

Hello Marius,
I tried the Input Control visualization. To provide a simpler example of what I am seeing and looking to accomplish: I have a netflow field which yields a number, I want that number to be a 'word' and have the Input Control Visualization widget to use that 'word' as my filter.
So:
0) I am sending my filebeats to logstash to give me more control

I have the netflow field netflow.firewall_event sending the value [5, 1, 2, 3]. I want to map those values to ["teardown", "created", "deleted", "denied"].
I installed logstash and created a new field with these values:
if [netflow][firewall_event] == "5" {
mutate { add_field => { "netflow.firewall_event_name" => "teardown"}}
} else if [netflow][firewall_event] == 1 {
mutate { add_field => { "netflow.firewall_event_name" => "created"}}
} else if [netflow][firewall_event] == 2 {
mutate { add_field => { "netflow.firewall_event_name" => "deleted"}}
} else if [netflow][firewall_event] == 3 {
mutate { add_field => { "netflow.firewall_event_name" => "denied"}}
}
I see the new fields being populated as expected, so I create the input control:

However,
I receive the error message "netflow.firewall_event_name.keyword" doesn't exists on any documents in the filebeat-*:

This is what my index looks look like:

What am I doing wrong?
Do I have to modify some template to add the new field I am creating? (netflow.firewall_event_name) If so, how do I go about doing that?

Thanks in advance.