So, I am currently running a Network Operations Center largely based around the ELK stack. To help track and identify aberrant events, I’d like to create an index with documents containing saved query strings, a timestamp, and some other identifiers like a ticket number.
Ideally, I’d like to be able to create a filter in Kibana which could toggle include/exclude all documents matching any of the query strings found in the above index, with a timestamp in the last 14 days, found in some arbitrary other index.
The goal, would be a simple toggle which would let our NOC personnel toggle between identified issues which might need attention, and new events which have not already been reviewed.
I’m not sure if this is something which could best be addressed by using a percolator or if this is something which would need to script in painless, or if I’m totally on the wrong track.
Any help would be greatly appreciated.