Logstash Netflow Module Change Index Pattern Field


(Michael Tsikerdekis) #1

I am trying to change the default indexing pattern for logstash's netflow module. Currently fields netflow.dst_port and netflow.src_port are set to be string!

I have been changing the json files (netflow.json) in this directory:
/usr/share/logstash/modules/netflow

And then erasing all data from elasticsearch and restarting everything. However, Kibana still shows that the field is a string.

Am I editing the right files?


(Robert Cowart) #2

I am curious why you want to map them as integers? While port values are numbers, they are really a kind of identifier rather than a quantity. This means that you will likely never be doing math functions on them, but you will be doing aggregations all the time using terms queries. By setting the type of these fields to a string you maximize query performance. More info here...

https://www.elastic.co/guide/en/elasticsearch/reference/current/tune-for-search-speed.html#_map_identifiers_as_literal_keyword_literal

This is exactly the reason those fields are keywords in the Netflow module.


(Michael Tsikerdekis) #3

Thank you Robert for the link. What I want to do is built a query that displays only the ports that are above 1024. I have tried using [1024 TO *] and >=1024 but I keep getting lower port numbers as well. Are term/string fields allowed to work for queries with range values?


(Michael Tsikerdekis) #4

Is there another way that I can filter out any dest port numbers below 1024?


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.