Hi,
I am trying to query get same user login more than one ip address. elasticsearch.
If you know please reply. Thank you friends.
Hey,
please invest some more time to write up a question, that others can make sense of it.
If you are trying to write a query please use the elasticsearch forum, but provide your data model and the query you tried. If this is a watcher issue, be more verbose (and still provide the above information, plus the watch you are trying to create).
Thanks.
--Alex
Bare with my language.
We use cloudtrail to log AWS user login and the cloudtrail logs been configured in ELK and indexed. I'm writing a watcher script to query and fetch user information for the following condition:
- When multiple login found for the same user (logged in from more than one IP address at same time in this case), watcher will trigger email notification. Query should return the user name and the list of IP's from which the user logged in.
Hey,
it's not a language barrier here. Your issue still lacks a complete problem description. This is not just the problem, but also the data model, the document layout, the mapping, and the query you have been building so far.
I sense that this could be solved with aggregations, but this assumption is not really helpful to you, as long as there are no real facts backing it due to missing knowledge.
--Alex
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.