Help with lucene

mortenb123 · April 9, 2019, 7:50am

I have this message field:
<10000000-0000-1111-0000-000020171218>(Controller, Raw) 02:42:0A:04:84:81 << Error Apr-9,07:28:33.583 ../src/util_net.c 340: connect():select() Socket error=113 ip=10.4.1.231 port=34323\n [errno=113:"No route to host"]

I'm filtering on error=113, but I want a table of count for each IP. I do not have a field for ip. but want to make one on the fly and use it.

In splunk I do:
error=113 | rex "ip=(?<ip>[\d\.]+)" | stats count by ip

Any pointers etc to help me going.

Thanks

warkolm · April 9, 2019, 10:38pm

Elasticsearch works best when extracting things into it's own fields before indexing the data. You might be able to come up with a script query to do what you want, but it's difficult (I can't help), and seriously inefficient.

mortenb123 · April 10, 2019, 10:03am

Thanks, I'll try and add a field. I will try to reindex the index adding new fields.

system · May 8, 2019, 10:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Inconsistent results using Lucene Query Syntax Elasticsearch	9	587	May 21, 2018
Mixing up field types error: IP field is not getting added Elasticsearch	8	2662	July 5, 2017
How to handle fields containg ipv4 OR ipv6 (actually only ::1 - ie. localhost)? Elasticsearch	2	1955	July 6, 2017
Error when using elasticsearch logstash filter Logstash	2	348	May 6, 2022
Query a specific IP address in Elastic Elasticsearch	3	1058	April 19, 2022

Help with lucene

Related topics