Querying a field name across multiple indices for identical value

Elastic Stack Kibana
1

I was hoping someone can offer a level of guidance. I have an Elasticsearch Enterprise cluster which is made up of three servers. My question is actually a basic one.
There are two indices that I have -

a) okta-ioc-ip

The key field in this index is ClientIP.keyword

b) okta-potential-breach

There is more data here but the field of interest is ClientIP.keyword

Hence, we have two indices with the same fieldname. What I am attempting to do is query both indicies to determine if the the same ip address exists in both.

Looking for a specific ip address works fine -

GET okta-potential-breach,okta-ioc-ip/_search
{
  "query": {
    "match": {
      "ClientIP.keyword": "192.124.249.110"
    }
  }
}

The results displaying both indices where the IP exists are given. How can I do this if I don't know the IP.

FYI - I tried an indicator match in Rules which was not successful, I was hoping to be able to do this in dev tools.

Please advise and my deepest apologies if the answer is obvious and I have missed it.

2

As far as I know this is not possible; bear in mind you are using a NoSQL architecture, i.e. no relations between databases, you are just indexing and consulting documents (no tables, foreign keys, etc).

You can query more than one index at a time, I do this a lot in dashboards, which would be similar to your example above.

To do what you mention, you would need to create a third index (e.g. through transform) where you input the info from the other indexes into a new one, and then run your queries and reports there.

1 Like
3

Thank you very much, and it is appreciated. This makes perfect sense. Constructing the dashboard would be the path of least resistance.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.