And I am trying to get the sum of all bytes by ip when either the source.ip or destination.ip are equal to that ip and get that into a table in kibana. So the table for example would be:
ip | bytes
10.10.1.1 | 7500 (sum of when it is the source ip plus the sum when it is the destination ip)
10.10.1.2 | 5600
10.10.1.3 | 1200
You need what I would call a "role-free" field. Field names like source.ip and destination.ip are classic examples of where an entity is mentioned in a document along with the role they play i.e. sender vs recipient. For some analysis you don't care about the role and just want to summarise all of an entity's activities.
You can do this using a copy_to statement in your field mappings - create a role-neutral field called something like ip_addresses and use a copy_to command in your source.ip and destination.ip to include a copy of these values in the ip_addresses field. Then do your Kibana analysis on the ip_addresses field.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.