hi, i'm working a DFIR case, i'm fairly new to KIbana.
i'm got millions of log entries to sift through. i need to see the log entries of a certain kind that were created after normal business hours any day of the week. for instance:
"Display the ssh logs created from 7pm --> 6am for the last 6 months"
i cant figure out how to do this, any suggestions?
You can create a scripted field "hour of day" and then filter based on it. An example is part of the "Logs" sample data set.
If your data volume is large, this approach can become slow - if you are hit by that, you can move this calculation into the ingest phase by using Logstash or an Elasticsearch ingest pipeline. But IMHO it makes sense to start with a scripted field and see whether it's enough.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.