Make two indexes which different fields communicate

dumpnetflow · April 24, 2021, 9:50am

Hi Everyone,

I have two indexes which are automatically generated by an application which I cannot modify.

Index one has two fields:
{
"mappings": {
"properties": {
"src.ip.address": {
"type": "ip"
},
"dst.ip.address": {
"type": "ip"
}
}
}
}

Index two has two fields:
{
"mappings": {
"properties": {
"SOURCE_IP_ADDRESS": {
"type": "ip"
},
"DESTINATION_IP_ADDRESS": {
"type": "ip"
}
}
}
}

I there a way I can modify on of the two kibana index pattern to be able to add an alias or something else to be able to filter for those values?

To be more speficic if I filter for src.ip.address in a dashboard made with both the index patterns, I also filter for SOURCE_IP_ADDRESS on th other index (since they have the same value).

Thanks!

A.

Felix_Roessel · April 24, 2021, 12:23pm

Which version are you running on?

dumpnetflow · April 26, 2021, 8:41am

7.8.0

flash1293 · April 26, 2021, 9:07am

There are multiple ways to do this. It make sense to solve this as far upstream in your pipeline as possible.

If you can control the data source, change it there (already ruled out)
If you can control the mapping of the indices, use field aliases (Alias field type | Elasticsearch Guide [master] | Elastic) or copy_to copy_to | Elasticsearch Guide [7.12] | Elastic
If you can only control Kibana, use a scripted field to check both locations for the actual value (Scripted fields | Kibana Guide [7.12] | Elastic)

This last option is not recommended in this situation, as it will be much slower than the other options.

system · May 24, 2021, 9:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.