Sankey Charts - Using IP addresses

Hi Forum,

I am completely new to lab visualisations, and I have seen Sankey Charts and they struck me as particulary useful for charting IP address pairing for flows from DDoS mitigation appliances (I get better information from elastic than I get from their own management software).

I use grok filters to break up the syslog messages (filebeat to logstash) into src_ip and dst_ip, but hoping I could hack the original canned demo by changing this:

            	sources: [
          	{
            	stk1: {
              	terms: {field: "geo.src"}
            	}
          	}
          	{
            	stk2: {
              	terms: {field: "geo.dest"}
            	}
          	}
        	]

to this:

            	sources: [
          	{
            	stk1: {
              	terms: {field: "src_ip.keyword"}
            	}
          	}
          	{
            	stk2: {
              	terms: {field: "dst_ip.keyword"}
            	}
          	}
        	]

Shows no data. Can anyone point me in the right direction?

can you make sure that the timefield and index are also set OK in the Vega code?

      url: {
        %context%: true
        %timefield%: @timestamp
        index: logstash-*
1 Like

Hi Marius,

Thanks! my index is filebeat so I had that as filebeat-*, but I think the problem I had (that you pointed out) was that I had

  	url: {
	%context%: true
	%timefield%: timestamp
	index: filebeat*

and I added the @timestamp as you suggested

  	url: {
	%context%: true
	%timefield%: @timestamp
	index: filebeat*

After that... BOOM! Thanks :smiley:

Awesome, glad it helped.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.