I am having trouble creating a particular type of visualization in Kibana. My events in Kibana are statistics on communications between two ip address. Two of the fields are lists of ports used by the particular ip address. An example of the fields would be:
ip1 = 192.168.101.2
ip2 = 192.168.101.3
ip2Ports = 80,443
ip1Ports = 80,57000,0
I would like to have a top count of all the values such as
port count
80 2
57000 1
443 1
I have been able to parse ip2Ports to be ip2Ports_List.column1, ip2Ports_List.column2, ect, but I can only choose one term with term aggregation in the visualization. I can split the chart, but that leads to separate counts for each field. If I go by the original ip2Ports field, it is just aggregated as the string such as, "80,443".
Is it even possible to create a top count visualization of fields with multiple values? If so, how would I do so. If not, is there a way to restructure my data so I can do it? Thank you!
答案 0 :(得分:0)
我的问题源于Logstash发送的格式的值。我曾经想过' ip2Ports_List.column1' format是使用csv过滤器的结果,是数组的一部分。它不是。在分析之后,' ip2Ports_List.column1'似乎与新领域没什么不同。
弹性需要一个数组来为我提供我想要的可视化效果。我不确定生产它的最佳方法是什么,所以我最终使用了红宝石过滤器。这就是代码最终看起来像:
{{1}}
在哪里' portsIp'看起来像" 80,443"。拆分它变成' portsIp'进入 Ruby数组。我只是将该数组设置为新事件字段的值,' portsIpArray'。
从那时我尝试想象端口IpArray'字段,它看起来我想要它,将每个端口视为单独的值,并仍然将每个端口与相同的事件/字段相关联。
<强>附加: 我发现的另一件事是,如果你像我一样直接在Logstash配置文件中编写你的代码,如果你在双引号代码中使用双引号,Logstash就不喜欢它了。事后看来这是有道理的,但它并没有给出明确的错误,所以很难弄清楚。