Hello,
I'm on Kibana V 7.12.0
I have lot of Fields on Kibana : "Kibana> Index Patterns" (1500+).
I this case the logs are from Windows (nxlog).
I have a field with windows event ID (5447 for example).
Is it possible to know all fields available by event ID ?
For example, for the field AllowedToDelegateTo I have 2 eventID.
But I can't do that for 1500 fields !
Is it possible to export data to know witch field is available for all event ID ?
Thank you.
Unfortunately Kibana doesn't provide much tooling around "doing something for every field".
The best approach I can think of is to build the following visualization:
AllowedToDelegateTo: *, field2: * and so on for all 1500 fields, you get the ideaevent.code
This will give you a table like this:
| Field filter | number of event codes |
|AllowedToDelegateTo: *, | 2|
|field2: *|5|
...
It's annoying to type 1500 filters like this, you might be able to automate this part by doing the first two field filters, then saving the visualization to the library, exporting the saved object via saved object management which will give you a json file, then write a script which will create all of the necessary filters.
Another approach would probably require more work (and might not be feasible depending on data volume) - it would require splitting up your documents. Instead of a single document like this:
{
AllowedToDelegateTo: "someval",
field2: "someotherval",
eventCode: 4738
}
ingest one document per field like this:
{
key: "AllowedToDelegateTo",
value: "someval",
eventCode: 4738
}
{
key: "field2",
value: "someotherval",
eventCode: 4738
}
Then you can do a top values on key with a unique count on eventCode to get the same information.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.