Kibana Dev Tools Get Field names from .kibana index

cwobuzz · November 10, 2020, 11:09pm

Team,

I tried to figure this out, but I am new to using the dev tools. I am using SecOnion. I want to pull out the fields mapped to different event ids. I spent a good amount of time trying to google an answer, but I didn't find a good thread. If there is something close please point me in that direction. This is what I tried, and failed at:

GET .kibana/_doc/index-pattern:2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29/_search
{
"query" : {
"match" : {
"event.id" : "1"
}
}
}

warkolm · November 10, 2020, 11:20pm

Welcome to our community!

Can you elaborate a little more on this part, what do you mean exactly?

cwobuzz · November 12, 2020, 4:05pm

warkolm, thanks for getting back to me so fast. I thought this would take more time. I have used kibana it's self but have not gotten into the dev tools before. So I will will paste in returned code so hopefully you can follow what I am asking about. I think I may need to take the .kibana index and reindex it so it can be sorted. I can't figure out how to that. Thanks for the help.

{
"_index" : ".kibana_1",
"_type" : "_doc",
"_id" : "index-pattern:2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29",
"_version" : 52,
"_seq_no" : 34384,
"_primary_term" : 9,
"found" : true,
"_source" : {
"index-pattern" : {
"fieldFormatMap" : """{"network.community_id":{"id":"url","params":{"parsedUrl":{"origin":"https://removed.com","pathname":"/kibana/app/kibana","basePath":"/kibana"} # I am cutting out the rest of this field

This field called "fields has the data in it that I want to map out.

"fields" : """[{"name":"@timestamp","type":"date","esTypes":["date"],"count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}, #This also goes on for quite some time but it contains all the fields I want.

I want to filter them on a field called "even.id" The dumped field names would look something like that:

@timestamp
@version
agent.ephemeral_id
agent.hostname
agent.id
agent.ip
agent.name
agent.type
agent.version
destination.geo.continent_name
destination.geo.country_iso_code
destination.geo.country_name
destination.geo.ip

Rest of the code not sure if it's import to you

  "timeFieldName" : "@timestamp",
  "title" : "*:so-*"
},
"type" : "index-pattern",
"references" : [ ],
"migrationVersion" : {
  "index-pattern" : "7.6.0"
},
"updated_at" : "2020-11-12T15:13:11.332Z"

}
}

system · December 10, 2020, 4:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.