Hello- I hope this is the right channel for my ES|QL question. I've setup a centralized log server with 3 IPs sending their logs to that server. I've installed an agent, but now can't figure out the right query to list every type of log coming from each of the 3 IPs. Is this type of query possible?
I'm transitioning away from Splunk, but query examples for ELK aren't as available as Splunk. Any resources, links or query suggestions are appreciated!
Hey @michael005,
in which field are you storing the ip? in which field are you storing the type of log?
From the top of my head I can think of something like
FROM logs-*
| EVAL source_ip = your_ip_field
| EVAL log_type = your_log_type_field
| STATS doc_count = COUNT(*) BY source_ip, log_type
| SORT source_ip, doc_count DESC
As for sources where to check out ES|QL information, you could start with official documentation where you will find some information about the functions available and some examples.
Let me know if I can help you further.
@Yngrid_Coello - Thanks for that query! That was different from what I was imagining (coming from a Splunk point of view).
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.