Help with lucene

mortenb123 · April 9, 2019, 7:50am

I have this message field:
<10000000-0000-1111-0000-000020171218>(Controller, Raw) 02:42:0A:04:84:81 << Error Apr-9,07:28:33.583 ../src/util_net.c 340: connect():select() Socket error=113 ip=10.4.1.231 port=34323\n [errno=113:"No route to host"]

I'm filtering on error=113, but I want a table of count for each IP. I do not have a field for ip. but want to make one on the fly and use it.

In splunk I do:
error=113 | rex "ip=(?<ip>[\d\.]+)" | stats count by ip

Any pointers etc to help me going.

Thanks

warkolm · April 9, 2019, 10:38pm

Elasticsearch works best when extracting things into it's own fields before indexing the data. You might be able to come up with a script query to do what you want, but it's difficult (I can't help), and seriously inefficient.

mortenb123 · April 10, 2019, 10:03am

Thanks, I'll try and add a field. I will try to reindex the index adding new fields.

system · May 8, 2019, 10:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.