Kibanaのグラフ機能でノード間のエッジが表示されない。

Elastic In Your Native Tongue 日本語による質問・議論はこちら
1

Kibanaのgraphを用いてデータ間の依存関係を可視化したいのですが、ノード間のエッジを表示するためには何か設定などが必要でしょうか?jsonファイルをELKスタックに投入して表示しています。現状ではノードのみ表示されている状況です。

ご教示いただけますと幸いです。

投入したデータ

[
  {
    "event": {
      "type": "SYSCALL",
      "timestamp": 1364481363.243,
      "audit_id": 24287,
      "syscall": {
        "process_info": {
          "pid": 3538,
          "ppid": 3500,
          "command": "cat",
          "executable": "/bin/cat"
        }
      },
      "path_info": {
        "name": "/etc/ssh/sshd_config",
        "inode": 409248
      },
      "provenance_info": {
        "input_files": [],
        "output_files": ["/etc/ssh/sshd_config"]
      }
    }
  },
  {
    "event": {
      "type": "SYSCALL",
      "timestamp": 1364481370.123,
      "audit_id": 24288,
      "syscall": {
        "process_info": {
          "pid": 3540,
          "ppid": 3502,
          "command": "vi",
          "executable": "/bin/vi"
        }
      },
      "path_info": {
        "name": "/etc/passwd",
        "inode": 409249
      },
      "provenance_info": {
        "input_files": ["/etc/ssh/sshd_config"],
        "output_files": ["/etc/passwd"]
      }
    }
  },
  {
    "event": {
      "type": "SYSCALL",
      "timestamp": 1364481385.678,
      "audit_id": 24289,
      "syscall": {
        "process_info": {
          "pid": 3542,
          "ppid": 3540,
          "command": "grep",
          "executable": "/bin/grep"
        }
      },
      "path_info": {
        "name": "/var/log/auth.log",
        "inode": 409250
      },
      "provenance_info": {
        "input_files": ["/etc/passwd"],
        "output_files": ["/var/log/auth.log"]
      }
    }
  },
  {
    "event": {
      "type": "SYSCALL",
      "timestamp": 1364481395.789,
      "audit_id": 24290,
      "syscall": {
        "process_info": {
          "pid": 3544,
          "ppid": 3542,
          "command": "chmod",
          "executable": "/bin/chmod"
        }
      },
      "path_info": {
        "name": "/home/user/.bashrc",
        "inode": 409251
      },
      "provenance_info": {
        "input_files": ["/var/log/auth.log"],
        "output_files": ["/home/user/.bashrc"]
      }
    }
  }
]

マッピング

{
  "dtest4" : {
    "aliases" : { },
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "parsed_json" : {
          "properties" : {
            "event" : {
              "properties" : {
                "audit_id" : {
                  "type" : "long"
                },
                "path_info" : {
                  "properties" : {
                    "inode" : {
                      "type" : "long"
                    },
                    "name" : {
                      "type" : "text",
                      "fields" : {
                        "keyword" : {
                          "type" : "keyword",
                          "ignore_above" : 256
                        }
                      }
                    }
                  }
                },
                "provenance_info" : {
                  "properties" : {
                    "input_files" : {
                      "type" : "text",
                      "fields" : {
                        "keyword" : {
                          "type" : "keyword",
                          "ignore_above" : 256
                        }
                      }
                    },
                    "output_files" : {
                      "type" : "text",
                      "fields" : {
                        "keyword" : {
                          "type" : "keyword",
                          "ignore_above" : 256
                        }
                      }
                    }
                  }
                },
                "syscall" : {
                  "properties" : {
                    "process_info" : {
                      "properties" : {
                        "command" : {
                          "type" : "text",
                          "fields" : {
                            "keyword" : {
                              "type" : "keyword",
                              "ignore_above" : 256
                            }
                          }
                        },
                        "executable" : {
                          "type" : "text",
                          "fields" : {
                            "keyword" : {
                              "type" : "keyword",
                              "ignore_above" : 256
                            }
                          }
                        },
                        "pid" : {
                          "type" : "long"
                        },
                        "ppid" : {
                          "type" : "long"
                        }
                      }
                    }
                  }
                },
                "timestamp" : {
                  "type" : "float"
                },
                "type" : {
                  "type" : "text",
                  "fields" : {
                    "keyword" : {
                      "type" : "keyword",
                      "ignore_above" : 256
                    }
                  }
                }
              }
            }
          }
        },
        "tags" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
      }
    },
    "settings" : {
      "index" : {
        "creation_date" : "1715132871526",
        "number_of_shards" : "1",
        "number_of_replicas" : "1",
        "uuid" : "9wZN4XQ0Rwmb9mSTlNgNoQ",
        "version" : {
          "created" : "7060299"
        },
        "provided_name" : "dtest4"
      }
    }
  }

現在の表示
子プロセス(pid)と親プロセス(ppid)の依存関係を可視化したい。

Screenshot from 2024-05-10 18-39-29
Screenshot from 2024-05-10 18-39-291195×928 51 KB