Kibana keyword aggregation for visualisation

philippkahr · September 16, 2019, 8:02am

Hi,

I am struggeling with a little aggregation task. Let's say we have to following data from winlogbeat:
First data:

{
"param1":  "1.2.3.4:5555"
}

Second data:

{
"param1": "1.2.3.4:6666"
}

If I perform a pie chart with count it will tell me 1.2.3.4:6666 and 1.2.3.4:5555 separately. How am I able to perform a count on everything before the :. I do not care about the ports.

I am not able to rework the pipeline or todo something inside winlogbeat. Therefore, I have to solve this issue inside kibana.

Any idea?

Brandon_Kobel · September 16, 2019, 4:50pm

Hey @philippkahr, you can do this using a Kibana Scripted Field similar to the following, however, it will much more performant to do so on ingest.

Painless Script:

String val = doc['param1'].value;
int index = val.indexOf(':');
return val.substring(0, index);

philippkahr · September 17, 2019, 5:50am

Thanks very much for your help. I totally forgot about scripted fields! Works as expected

system · October 15, 2019, 5:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.