I am very new to ELK. In my organization We are thinking of migrating from Splunk Enterprise to ELK. But before doing that I was asked to test whether we are able to run all the use cases we have built on Splunk in ELK. I have completed till indexing the data. Now the problem is with querying. In splunk lets say I use a simple query "index=bluecoat category="Phishing"|table user source_ip". This would create a table with the user with source_ip who have visited sites categorized as phishing. Can someone help me whether this can be done using Kibana or any other app? Is it even possible to do so. Any help at the earliest would be appreciated.
Kibana is a great tool to be work with. My organization is using ELK and it provides all the logging solution.
Sorry, but does that answer my question?
You can certainly do this...
I would run a search in Discover with the following parameters:
- Select your BlueCoat index
- Your query would look something like this: category:Phishing
- Save your query
- Create a new visualization by going to the Visualize tab
- Create a new Data table visualization from the search you just saved
- Add a metric, split rows, with the term for source IP. You'll get a count by source IP. like this:
and you'll end up with something like this:
You can add more buckets to get more granular or flip it to destination hostname/ip, whatever you want.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.