I am relatively new to elastic and expanding our ES daily.
We are ingesting logs from various network devices but come across a problem in Cisco. They do not send the hostname in their syslog and therefore all we get is for example
log.source.address: 10.1.1.1:56783 (where the port is random)
Therefore in KQL there are many entries for one device and seems no way to simply wildcard 10.1.1.1.
Using Lucene we need to build a regular expression for this and tried various formats but as ^ is not supported there seems no way to say
log.source.address:10/.1/.1/.1:<1-99999> and produce a result from this or using various combinations.
Instead of trying to figure out how to write a full text search query a more efficient way of solving this would be to store the ip address in a dedicated field of the type IP and query that field...
if that is possible Alexander, certainly, so I was trying to search for a way to convert the output of log.source.address: 10.1.1.1:56783 to say logsource.ip:10.1.1.1 online but could not find it, could you direct me to the resource for that.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.