Kibana json input

azulgrana · October 4, 2021, 10:24pm

Hi there!

I have a custom visualization that reports on network traffic by protocol, source and destination. I have added to my Split rows bucket a custom JSON input to strip out the last octet and to display the communications based on source / destination subnets

{
    "script": "( _value.indexOf('.') > 0 ? _value.substring(0, _value.lastIndexOf('.')) : _value )"
}

And in cases where the communication happened within the same subnet, the query shows record for it.

What would be the best way to exclude / remove the values where the Source and Destination are the same? I was thinking on comparing the two fields and if the fields have equal value then replace value with 0 and use the "Exclude" option to exclude all zeros ... though I couldn't find a way to it and how to add it to my existing code.

Any feedback or help, would be greatly appreciated

TIA!

Azulgrana

azulgrana · October 5, 2021, 1:38am

I think I made it work

{
  "script": "if ( doc['ip_src'].value.substring(0, doc['ip_src'].value.lastIndexOf('.')) == doc['ip_dst'].value.substring(0, doc['ip_dst'].value.lastIndexOf('.'))) {return '0'} else {return _value.substring(0, doc['ip_src'].value.lastIndexOf('.'))}"
}