Make two indexes which different fields communicate

Hi Everyone,

I have two indexes which are automatically generated by an application which I cannot modify.

Index one has two fields:
{
"mappings": {
"properties": {
"src.ip.address": {
"type": "ip"
},
"dst.ip.address": {
"type": "ip"
}
}
}
}

Index two has two fields:
{
"mappings": {
"properties": {
"SOURCE_IP_ADDRESS": {
"type": "ip"
},
"DESTINATION_IP_ADDRESS": {
"type": "ip"
}
}
}
}

I there a way I can modify on of the two kibana index pattern to be able to add an alias or something else to be able to filter for those values?

To be more speficic if I filter for src.ip.address in a dashboard made with both the index patterns, I also filter for SOURCE_IP_ADDRESS on th other index (since they have the same value).

Thanks!

A.

Which version are you running on?

7.8.0

There are multiple ways to do this. It make sense to solve this as far upstream in your pipeline as possible.

• If you can control the data source, change it there (already ruled out)
• If you can control the mapping of the indices, use field aliases (Alias field type | Elasticsearch Guide [master] | Elastic) or copy_to copy_to | Elasticsearch Guide [7.12] | Elastic
• If you can only control Kibana, use a scripted field to check both locations for the actual value (Scripted fields | Kibana Guide [7.12] | Elastic)

This last option is not recommended in this situation, as it will be much slower than the other options.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.