Kibana search events where value of a field matches another fields value in the same event?

Hi,

is it somehow possible to search in kibana either via KQL or Lucene syntax for a field that has the same value as another field in the same event?
i.e. assume I've a user.name and user.target.name where some events may contain the same value, i.e. a user did something to himself.

i.e. I can search for:

user.name: foobar and user.target.name: foobar

but that would require me, to already know the value I'm looking for.

so in a search, I want to find all events where any user did something to himself instead of to some other users. So can I somehow reference a field for it's value and search for that?

somehow alike:

user.name: $user.target.name

I tried to find something like that in the docs, but was unable to find.

hope that's somehow possible.

Sebastian

Hi @buzzdeee

I think you're best bet in this case is to use runtime fields: create a field C where you check that the value of field A and B are the same string/value and return a boolean value.
Then you can run the queries based on field C.

I created an example here with the flight data sample, when a new runtime field sameGeo returns true if both OriginCountry and DestCountry contain the same value (country string):

Screenshot 2021-10-20 at 10.23.551142×1602 99 KB

Would that work for you?

Hi @Marco_Liberati

runtime fields are awesome, never used before, only know about their existence.

I ended up with the following, operating on the winlogbeat-* index pattern. That seems to exactly do what I want, and I can Discover the field, and do what I want:

if (doc['user.name'].size() > 0 && doc['winlog.event_data.TargetUserName'].size() > 0) { 
	def sameUser = doc['user.name'].value == doc['winlog.event_data.TargetUserName'].value;
    if (sameUser) {
        emit(sameUser)
    }
}

thanks a lot,
Sebastian

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.