When in Kibana I enter say (src_ip=10.3.25.23 AND dest_port=22) and click search - I get back syslog entries ehter dst_ip is 10.3.25.23 and 22 will be in there as say a an ethernet switch port number - but not the TCP destination port. What am I doing wrong?
Hi @elastimed,
you might have more success with src_ip:10.3.25.23 AND dest_port:22
. Please see the Query String Syntax Documentation for other search operators.
You might also want to double-check that your src_ip
and dest_port
fields are indexed using the correct types, i.e. ip
and integer
. If the src_ip
field has been indexed as a text
, the analyzer might have incorrectly broken down the ip address. Indexing the fields using the correct types also enables other useful type-specific features in the query such as CIDR ranges or numeric ranges.
Yes yes! Gawd this was driving me nuts. Thank you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.