Hi there!
I have two different indexes that have different fields name which are actually the same thing:
For example:
Index 1 has: IPV4_SRC_ADDR : "75.72.214.200"
Index 2 has: source.addr: "75.72.214.200"
I cannot modify the index but I can work on the index pattern. Is there a way that I can create an additional field to filter on to click and get the only results from that ip?
Tried with scripted fields but did not work.
Thanks.
Can you modify the index mappings? I think you could use a field alias for this: Introducing Field Aliases in Elasticsearch | Elastic Blog
Not without the suggestion from Patrick, no.
Hello!
I tried to add it like this:
PUT ntopng-*/_mapping
{
"properties": {
"source.ip": {
"type": "alias",
"path": "IPV4_SRC_ADDR"
}
}
}
Rereshed the index etc, but I coudn't find the field to add it to a visualization (lens). It does not show up even in the discovery view.
Is there a way to find ouy why? Kibana 7.8.0.
n.b. the right name is source.ip non source.addr as stated in first post.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.