Simple compound search in Kibana

(Mike) #1

When in Kibana I enter say (src_ip= AND dest_port=22) and click search - I get back syslog entries ehter dst_ip is and 22 will be in there as say a an ethernet switch port number - but not the TCP destination port. What am I doing wrong?

(Felix Stürmer) #2

Hi @elastimed,

you might have more success with src_ip: AND dest_port:22. Please see the Query String Syntax Documentation for other search operators.

You might also want to double-check that your src_ip and dest_port fields are indexed using the correct types, i.e. ip and integer. If the src_ip field has been indexed as a text, the analyzer might have incorrectly broken down the ip address. Indexing the fields using the correct types also enables other useful type-specific features in the query such as CIDR ranges or numeric ranges.

(Mike) #3

Yes yes! Gawd this was driving me nuts. Thank you.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.