I'm trying to replicate some of the examples found in this blog piece:
But I can't enter sub-fields of event_data as terms in a Kibana visualization --
To be clear, I can definitely create a filter or perform a saved search in "Discover" to look for "event_data.LogonType" or "event_data.SubjectUserName". I'm also successfully using these terms for filtering incoming logs in Logstash.
How do I enter these terms into Kibana's Visualizations? I have already tried importing the JSON for this set of visualizations from the blog post, but the visualizations were rejected by Kibana.
If you put all the individual expressions together, you should be able to paste that into the search box.
event_id:4624 AND !event_data.LogonType:0 AND !event_data.LogonType:5 AND !event_data.TargetUserName:"ANONYMOUS LOGON" AND !event_data.TargetDomainName:"Window Manager" AND !event_data.TargetUserName:*$ AND !tags:"dc"
I've used the solution of putting all of the individual expressions together in the search box -- I can do that in both Discover and Visualize, to create a table (for instance, by computer_name). However, in Visaulize I can't figure out how to break data out by subfields under event_data (for instance, event_data.SubjectUserName or event_data.LogonType). If I use "Terms" or "Significant Terms" to split rows of a Data Table, event_data is not a selectable option (and there is not way to add my own terms).
I want to be able to display charts that show that critical information on a Dashboard and in reports, right now I seem strictly limited in my choice of Terms.
Can you try refreshing the index pattern. The event_data.* fields are dynamic since we don't know them all in advance. Once you refresh the index pattern those fields will then be known to Kibana.
In Kibana, Management -> Index Patterns -> Click on winlogbeat-* -> Find the refresh button and click it.
(That probably explains why there was an error when you tried to import the dashboards from the JSON files.)
Refreshing the index pattern exposed a long list of event_data fields that I can now search / filter on. I'm going to test out a bunch of visualization settings, but this seems to have solved the problem.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.