Use of fingerprint for searching, visualizing, etc

Sylvain-69 · March 21, 2018, 4:57am

Hello everybody !

Here is what I have in elasticsearch :

URL access logs with those fields :

SourceIP, SourcePort, DestIP, DestPort, User, SessionID, Fingerprint (made with all the previous fields), URL.

Into the same index I have traffic logs with those fields :

SourceIP, SourcePort, DestIP, DestPort, User, SessionID, Fingerprint (made with all the previous fields), BytesRecived, BytesSent.

I would like to be able to correlate the two logs with the fingerprint so I can see for example a top 10 of the accessed URLs by bytes received or sent.

Is that possible ?

warkolm · March 22, 2018, 5:52am

That's a join using the fingerprint value, and Elasticsearch cannot do joins.

You could use the fingerprint value as the _id and then update the initial document with the new info (whether that is the URL or the bytes).

system · April 19, 2018, 5:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.