Kibana: find IP addresses that are in two different indexes

stcdarrell · June 20, 2020, 12:29am

hi, i'm having trouble wrapping my head around the best way to query kibana. I have indexes lets just say:
Index-Business1-firewall-Logs
Index-Business2-filewall-Logs

i have a kibana Index Pattern that is Index-Business*, so both businesses firewall data is displayed
i have fields for source and destination IP's. [source][ip] and [destination][ip]

i need a query to find what destination ips are in BOTH indexes.

basically:
[destination][ip]:* AND (_index: Index-Business1-firewall-Logs AND Index-Business2-firewall-Logs)

but that doesnt seem to work.. any suggestions?

to make it even fancier.. i'd love to limit the source address to an internal address and do the same search.. so:
([source][ip]: 172.) AND [destination][ip]: AND (_index: Index-Business1-firewall-Logs AND Index-Business2-firewall-Logs)

thank you
Darrell

mattkime · June 25, 2020, 1:46am

If you have an index pattern that covers multiple indices then something like destination.ip : *

If you're still having trouble it might be helpful to show a screenshot of the searchbar.

system · July 23, 2020, 1:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.