Fetch unique values of field in Similar logs

deadPix3l · July 18, 2018, 9:33pm

I have an index with about a quarter million logs and growing.
many logs are exactly the same except one field. ie. (only an example)
{
event_id: 1265,
reason: "permission denied",
file: "/etc/shadow"
process: "chrome.exe",
host: "box_A"
}

sometimes an identical event occurs on multiple hosts. How can i get from "What events happened on host A?" to "for each of those, what other hosts did they occur on?"

How do i view all identical events which occured on more than X different hosts, and find out which hosts those were?

bhavyarm · July 18, 2018, 10:44pm

Hi,

This is a simple terms agg in a datatable in my local:

I am looking at the count of documents which contain that city name.

So instead of count here - you can use other agg.

Does it help?

Thanks,
Bhavya

deadPix3l · July 19, 2018, 1:24am

I'm currently using unique count, but it's not perfect.

So for each event_id or for each process, which are not unique to the log, I can see a count of how many unique hosts have had such an event. So for 1265, let's say I get 4. 4 hosts have experienced as 1265 ("permission denied") error. Now do I get from that to which 4 are they, for all (or top 100?) error codes.

system · August 16, 2018, 1:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to find events with duplicate field value? Kibana	2	3960	March 12, 2020
Duplicate Events in Kibana Beats winlogbeat	1	445	July 29, 2019
Agent.hostname unique search Elasticsearch	3	2234	September 6, 2019
Multiple Logs in Kibana Kibana	4	1299	December 7, 2017
Winlogbeat 7.5.2 duplicate events Beats winlogbeat	4	714	April 16, 2020

Fetch unique values of field in Similar logs

Related topics