Hello All,
So I'm coming from a Splunk background, and trying to replicate some of the same sorts of visualizations and dashboards I had built out over there. If I have any gross misconceptions I blame that.
I have a dataset composed of network flow data (source address, dest address, type of traffic, locations of source and dest) and I'm trying to make a dashboard that given a certain IP in the search field, a profile of that IP is returned. One of the things I'd like to do is "Number of times the searched IP is a source address" as a metric. I'm unclear as to how to do that. Also, any suggestions for resources to get better acquainted with Kibana would be appreciated.
Assuming you have something like a sourceip and destip field, on the Kibana Discover tab, if you just put in an ip address in the search field you should get all the documents containing that ip address regardless of which field it's in. But if you search on sourceip:123.456.789.000 you would get only the documents where that ip is in the sourceip field. The count of how many matched is in the upper-right hand corner of the chart on the discover tab and shows how many "Hits".
And/or you could go to Visualize tab and create a line chart with a Date Histogram, then search sourceip:123.456.789.000 and see activity over time for that IP.
I was hoping to skip the field specifiers if possible. The idea of the dashboard is for an analyst to enter an IP and see all the information I can dig up out of our data in a nice summary format, so I was hoping to break down the field counts separately. I feel like the "Advanced JSON" bit is the place where I might be able to do that, but can't puzzle out how yet.
In Splunk I would do a sub visualization that included whatever was entered into the main form field and ran based off that, but that isn't a Kibana thing?
I think you can skip the field specifier if you want. Do you need to see this data with respect to time? Or just all the hits?
Here's an example I just did with a Data Table visualization in Kibana. I searched on an IP address at the top, and created a couple of aggregations to show some information about the matching hits;
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
