Hi Forum,
I am completely new to lab visualisations, and I have seen Sankey Charts and they struck me as particulary useful for charting IP address pairing for flows from DDoS mitigation appliances (I get better information from elastic than I get from their own management software).
I use grok filters to break up the syslog messages (filebeat to logstash) into src_ip and dst_ip, but hoping I could hack the original canned demo by changing this:
sources: [
{
stk1: {
terms: {field: "geo.src"}
}
}
{
stk2: {
terms: {field: "geo.dest"}
}
}
]
to this:
sources: [
{
stk1: {
terms: {field: "src_ip.keyword"}
}
}
{
stk2: {
terms: {field: "dst_ip.keyword"}
}
}
]
Shows no data. Can anyone point me in the right direction?