Hi all, I am trying to create a simple data table with the goal of seeing "unusual" domains. By "unusual," I mean "seen within a recent short time period (say, past 24h - this would be hardcoded) without having been seen in the current time filter (say, 90d)".
I have looked at a couple different ways to approach this, but so far I have not been able to figure out how to identify a way to create this data table. My first thought was to create two metrics: one, the count of the domain; two, the max of the timestamp of the last seen packet. Then, I could sort on count first and lastPacket second, getting the most recently seen domains with only one hit. However, according to Allow sorting on multiple fields · Issue #696 · elastic/kibana , support for sorting based on multiple criteria is not available yet. So, I continued looking.
My second thought was to create a second metric - the count of hits in the shorter time period. Then, filter only on rows where this value is greater than zero and the inverse filter is zero. However, according to How to apply filter to individual metric in Kibana? you cannot apply a filter to only a single metric.
Lastly I turned to the visual builder since it supposedly has more features. However, when I tried to add a metric for the last seen packet like I had in the Data Table builder, it wouldn't show up. In fact, none of the date fields would show up including @timestamp.
Can somebody point me in the direction of the tool or tools I can use to create such a visualization and the approach I should take?