Exclude internal ip's

(Brad Birdwell) #1

I am still new and working to figure out how to use elasticsearch correctly to do what I want. I have been able to write some query's to get some information about all of the traffic on our network but now I would like to filter out anything that is internal and only show internet traffic.

Currently I am setup as follows
ASA firewall -> ELK (via Netflow)

What is the proper way to exclude, and from the rest of the traffic. Im sure its simple and I am just going about it all wrong.


(Shelby Sturgis) #2

Hi Brad,

You can exclude those patterns from your query using the searchbox and lucene query syntax. Here is a nice tutorial site for learning the lucene query syntax.

-ip: "" AND -ip: "" AND -ip: ""

where ip is the field name.

(system) #3