Hello guys,
above my log message.
user <TEST> from client <xyz (connection-xyz.de)>
I want to filter on the content in the brackets <>, but I don´t only want to test how many hits this delivers. I also want to know how often the users are different, so how often the value in <> is not equal. I cant find the rigth query for this.
Pls help me guys and pls dont recommend the possibility with the security activities.
Thank you
Hi @Thomas_Sieger,
I'd suggest first to inject you data differently.
It would be easier to analyse your data if you'd have a separate fields in you documents:
{
message: "user <TEST> from client <xyz (connection-xyz.de)>",
user: "<TEST>",
client: "<xyz (connection-xyz.de)>"
}
If it is not possible to add these fields during ingestion, then you could try to extract them using scripted fields
Then you could easily filter by client field and see number of hits.
I also want to know how often the users are different, so how often the value in <> is not equal.
For this you could, for example, build a bar chart where on x axis are users (user) and y axis "uniq count" of clients (client).
Hey dosant,
I dont really understand your expression:
{
message: "user from client <xyz (connection-xyz.de)>",
user: "",
client: "<xyz (connection-xyz.de)>"
}
How can I structure this. I only read out my logfiles with filebeat and send them to Kibana. So can u describe where I can structure this?
Im new with Kibana ;(
Thank you in advance 
You can pre-process documents before indexing using ingest node: https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ingest-node.html
To extract fields from the log message you can use grok processor
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.