Help with lucene

mortenb123 · April 9, 2019, 7:50am

I have this message field:
<10000000-0000-1111-0000-000020171218>(Controller, Raw) 02:42:0A:04:84:81 << Error Apr-9,07:28:33.583 ../src/util_net.c 340: connect():select() Socket error=113 ip=10.4.1.231 port=34323\n [errno=113:"No route to host"]

I'm filtering on error=113, but I want a table of count for each IP. I do not have a field for ip. but want to make one on the fly and use it.

In splunk I do:
error=113 | rex "ip=(?<ip>[\d\.]+)" | stats count by ip

Any pointers etc to help me going.

Thanks

warkolm · April 9, 2019, 10:38pm

Elasticsearch works best when extracting things into it's own fields before indexing the data. You might be able to come up with a script query to do what you want, but it's difficult (I can't help), and seriously inefficient.

mortenb123 · April 10, 2019, 10:03am

Thanks, I'll try and add a field. I will try to reindex the index adding new fields.

Topic		Replies	Views
Event Correlation \ populate one field with data from other field in elasticsearch Logstash	17	5142	July 19, 2016
Error when using elasticsearch logstash filter Logstash	1	393	April 8, 2022
Need help filter data indexed! Elasticsearch	0	323	March 25, 2013
Creating an IP field from log file Kibana	1	485	October 18, 2017
Field host.ip problem Elasticsearch	0	268	June 21, 2021

Help with lucene

Related topics