Kibana KQL issue, Greater than does not work for event.duration field

I am currently on using Kibana v7.13.3. I am ingesting zeek logs into my elastic stack and trying to filter by event duration that exceeds a specific time frame. I have tried using the following basic KQL to filter by:

event.duration > 10.0

However this does not filter the results at all. All other number data fields work for with the greater than it just appears to be event.duration that does not filter. Has anyone else experienced this issue.

KibanaScreenshot1897×729 61 KB

Could you click on "Inspect" and copy/paste the request that is being sent here?

Does it work if you simply put event.duration > 10?

Could you also copy/paste your mapping for this field?

"event.duration > 10" by itself does not work either.

This is the Request being sent:

{
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "version": true,
  "fields": [
    {
      "field": "*",
      "include_unmapped": "true"
    },
    {
      "field": "@timestamp",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.created",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.end",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.ingested",
      "format": "strict_date_optional_time"
    },
    {
      "field": "event.start",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.accessed",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.created",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.ctime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.mtime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "file.x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "kafka.block_timestamp",
      "format": "strict_date_optional_time"
    },
    {
      "field": "microsoft.defender_atp.lastUpdateTime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "microsoft.defender_atp.resolvedTime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "microsoft.m365_defender.alerts.creationTime",
      "format": "strict_date_optional_time"
    },
    {
      "field": "process.parent.start",
      "format": "strict_date_optional_time"
    },
    {
      "field": "process.start",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.client.x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "tls.server.x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "x509.not_after",
      "format": "strict_date_optional_time"
    },
    {
      "field": "x509.not_before",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.kerberos.valid.from",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.kerberos.valid.until",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.org_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.rec_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.ref_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ntp.xmt_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ocsp.revoke.time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ocsp.update.next",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.ocsp.update.this",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.pe.compile_time",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.accessed",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.changed",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.created",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smb_files.times.modified",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.smtp.date",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.snmp.up_since",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.x509.certificate.valid.from",
      "format": "strict_date_optional_time"
    },
    {
      "field": "zeek.x509.certificate.valid.until",
      "format": "strict_date_optional_time"
    },
  ],
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "30m",
        "time_zone": "Europe/London",
        "min_doc_count": 1
      }
    }
  },
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": false,
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "range": {
                        "event.duration": {
                          "gt": "10.0"
                        }
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              },
              {
                "bool": {
                  "should": [
                    {
                      "range": {
                        "zeek.dns.rtt": {
                          "gte": "0.002"
                        }
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-08-31T08:54:15.634Z",
              "lte": "2021-09-01T08:54:15.634Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "fragment_size": 2147483647
  }
}

This is the current mapping:

 "event": {
          "properties": {
            "action": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "category": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "created": {
              "type": "date"
            },
            "dataset": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "duration": {
              "type": "long"
            },

Additionally this is the pipeline rule we have applied to populate event.duration:

Screenshot 2021-09-02 105933693×527 17 KB

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.