I have an ESQL search that outputs a list of unique IP addresses.
When I Share to CSV, I'm getting "CSV may contain formulas, The report contains characters which spreadsheet applications can interpret as formulas.
When I open the CSV file, instead of a list of IP addresses, each row just has a hyphen instead any actual data.
It appears like this:
count,ip
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
"-","-"
Thanks for reaching out @sourcreamnormanbates, I have a few follow up questions here.
Here is the query I'm running:
from SMTPReceiveLogs*
| where data like "MAIL FROM*"
| rename remote-endpoint as remote
| dissect remote "%{ip}:%{port}"
| stats count = count(ip) by ip
| sort ip
Here's what the output looks like.
Thanks for following up with more infomation. Have you tried running the query from the console but specifying the format as CSV? If so, does it also return with blank values?
In the console the query you sent over would look something like this:
POST _query?format=csv
{
"query": """
from SMTPReceiveLogs*
| where data like "MAIL FROM*"
| rename remote-endpoint as remote
| dissect remote "%{ip}:%{port}"
| stats count = count(ip) by ip
| sort ip
"""
}
Best,
Jessica
I had not tried that, but that worked!
Thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.