Best way to aggregate values of 2 fields
193 views
Skip to first unread message
DanTheMan
Feb 3, 2022, 4:20:16 AM2/3/22
to Wazuh mailing list
Hi,
my idea is to create a visualization for our dashboard, that shows the evolution of source IPs.
Since i have at least 2 different fields that are being extracted from different logs (one is called audit.srcip and one is just srcip), i don't know how to use these fields as they were the same, because in the end both are source IPs.
In the attached screenshot (visualization1.png) they should be aggregated to one field.
I thought about 2 ways to solve this:
1. change the name of the field "audit.srcip" to just "srcip". I was thinking about "overwriting" the decoder that extracts the value
This would be my preferred solution because I also would like to create a list/table of events, and display the source IP without having to use 2 columns (one for audit.srcip and one for srcip field) see vizualization2.png
2. aggregate in kibana (but i don't know how to do that)
BR
Dan
elw...@wazuh.com
Feb 3, 2022, 5:06:32 AM2/3/22
to Wazuh mailing list
Hello Dan,
The best approach is as you mentioned is to change the name of the field to srcip. Since the aggregation at the level of Kibana will require using scripted fields (https://www.elastic.co/blog/using-painless-kibana-scripted-fields) which will be consuming resources in vain.
Hope this helps.
Regards,
Wali
The best approach is as you mentioned is to change the name of the field to srcip. Since the aggregation at the level of Kibana will require using scripted fields (https://www.elastic.co/blog/using-painless-kibana-scripted-fields) which will be consuming resources in vain.
Hope this helps.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages