How to display the PC user's name when displaying log information collected with Winlogbeat in Kibana

Elastic Stack Kibana
1

Hello from Japan
I have a question for my respected Elastic engineers.
I have been working on collecting Windows log information collected using Winlogbeat into Elasticsearch and visualizing it using Kibana.
These efforts faced a number of challenges.

A typical example is that Kibana can only visualize the host name of the PC sending logs.
I used to use version 7 of the Elastic Stack (mainly Elasticsearch, Kibana, and Winlogbeat).
At that time, I succeeded in linking the PC host name and the PC user using the method below.

①I transition the screen as shown below.

Kibana→management→indexpattern→scriptfield

image
image1057×372 62.4 KB

image
image1069×442 102 KB

②I loaded the script field below into Kibana.

if (doc['agent.hostname'].value == 'PC-HostName') { return 'YUUTA' }
else if (doc['agent.hostname'].value == 'PC-HostName2') { return 'INOUE' }

However, after upgrading Elastic Stack to version 8, we discovered that this mechanism no longer works.
We were very troubled. (This is because information about computer users cannot be grasped instantly.)
*It is unfortunate that we accidentally discovered that these are written in the official Elasticseach documentation.

The method we were able to implement in V7 was to statically replace it on the Kibana screen, but it helped us.
I would like to implement a similar method in Version 8, but is there a way?

My ElasticStack environment is as follows.

Kibana 8.11.1 

Elasticseach 8.11.1


Winlogbeat 8.11.1

Please help me
regards
Thank you

2

Hi!

In Elasticsearch 8 runtime fields replaced scripts. The code is pretty much the same, and a lookup as you have would be something like this (using the Kibana Flights dataset)

// First check the field exists
if (doc['Carrier'].size() == 0) {
    emit("đŸ˜±");
} else if (doc['Carrier'].value == "ES-Air") {
    emit("E");
} else if (doc['Carrier'].value == "Logstash Airways") {
    emit("L")
} else if (doc['Carrier'].value == "Kibana Airlines") {
    emit("K")
} else if (doc['Carrier'].value == "JetBeats") {
    emit("B")
} else {
    // Always return something
    emit("đŸ€”");
}

This code would be placed in the Set value section in the Add field interface

image
image3337×1875 426 KB

Hope it helps.

3

Adding to this great answer that you could also do that using lookup from another index as described in:

:wink:

1 Like