Hi,
I justs started with Elasticsearch in order to analyse our network data. So far it works well and above expectation.
The netflow data goes to the index log_netflow:
"_source" : {
"host" : "192.168.1.1",
"type" : "netflow",
"@timestamp" : "2019-01-04T00:28:05.000Z",
"netflow" : {
"protocol" : 6,
"ipv4_src_addr" : "172.16.0.170",
"l4_src_port" : 5500,
"ipv4_dst_addr" : "10.0.0.2",
"l4_dst_port" : 23,
},
and all kinds of queries work just fine.
Now I created a new index:
whitelist_ip
"_source" : {
"name" : "desktop",
"ipaddr" : "192.168.1.4",
"description" : "sysop pc"
},
in which I added the IP's that are 'allowed'. But now i'm stuck on the next step ......How can I create a query that only gives met the log_netflow records of which the "ipv4_src_addr" is not in whitlisted in "ipaddr" ??
Can someone points me in the right direction 
?
Thnx, Ton.