Include filter from different modules

syedsfayaz · June 28, 2019, 5:14pm

Hi

I am trying to create a graph to show number of people hitting our internal environments.

Version : ELK 7.2

Here I have installed filebeat on both Linux and windows environments.
For windows I am using IIS module.
For Linux I am using apache module.

Now I'm creating a single graph and showing users by split chart. My issue is I want to filter data base on the url access but data coming from Linux and Windows is different and I cant find a common value between these two.

Linux
I can filter data by "url.original" is one of the following

Windows
I can filter data by "url.path" is one of the following.

What I can't do is show data where we have both "url.original" and "url.path". If I add two filters the dashboard is empty as expected.

Can we have some condition with filter "X (or) Y" exists. (if $url.path or $url.original) exists. )
Can you please tell me how I can achieve this.

syedsfayaz · June 28, 2019, 5:34pm

I was able to get it done as a dsl quiery. But it would have been nice I there was an option to select.

{
  "query": {
    "bool": {
      "should": [
        {
          "match_phrase": {
            "url.path": "/portal/home/"
          }
        },
        {
          "match_phrase": {
            "url.path": "/portal/sharing/rest/portals/self"
          }
        }
		{
          "match_phrase": {
            "url.original": "/portal/home/"
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

system · July 26, 2019, 5:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.