Simple compound search in Kibana


(Mike) #1

When in Kibana I enter say (src_ip=10.3.25.23 AND dest_port=22) and click search - I get back syslog entries ehter dst_ip is 10.3.25.23 and 22 will be in there as say a an ethernet switch port number - but not the TCP destination port. What am I doing wrong?


(Felix Stürmer) #2

Hi @elastimed,

you might have more success with src_ip:10.3.25.23 AND dest_port:22. Please see the Query String Syntax Documentation for other search operators.

You might also want to double-check that your src_ip and dest_port fields are indexed using the correct types, i.e. ip and integer. If the src_ip field has been indexed as a text, the analyzer might have incorrectly broken down the ip address. Indexing the fields using the correct types also enables other useful type-specific features in the query such as CIDR ranges or numeric ranges.


(Mike) #3

Yes yes! Gawd this was driving me nuts. Thank you.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.