Simple compound search in Kibana

When in Kibana I enter say (src_ip= AND dest_port=22) and click search - I get back syslog entries ehter dst_ip is and 22 will be in there as say a an ethernet switch port number - but not the TCP destination port. What am I doing wrong?

Hi @elastimed,

you might have more success with src_ip: AND dest_port:22. Please see the Query String Syntax Documentation for other search operators.

You might also want to double-check that your src_ip and dest_port fields are indexed using the correct types, i.e. ip and integer. If the src_ip field has been indexed as a text, the analyzer might have incorrectly broken down the ip address. Indexing the fields using the correct types also enables other useful type-specific features in the query such as CIDR ranges or numeric ranges.

Yes yes! Gawd this was driving me nuts. Thank you.

