Kibana: Ability to compare if fields are identical from different sources
We are trying to compare ip addresses from our firewall and ip reputation database. This was not an option in logstash and we were hoping we could accomplish this at some point in Kibana.
Betsworth22
All 9 comments
Can you please describe exactly how you would envision this feature working?
rashidkpc
on 20 May 2013
Ok lets just use our example to help simplify how it would work. Lets say you have information coming in from a firewall and it is setup like @type:firewall and within that information you have a src_ip and dst_ip setup as fields. (Examples @fields.src_ip and @fields.dst_ip)
Our second source is coming in from an ip-reputation database known as threats so it is setup as @type:threats with both a @fields.src_ip and @fields.dst_ip.
Compare two fields and filter events that match only. So if a src_ip matches a known threat src_ip it would show up in the logs listed in Kibana and filter out the ones that do not match.
I see the panel options being something like below
Source 1
Type : @type:firewall Field : @fields.src_ip
Source 2
Type : @type:threats Field : @fields.src_ip
All it has to do is search the fields and match only identical results and then filter out the ones that do not. Then I can use the current panels and charts to make it look pretty. Great job on this product by the way. We look forward to helping you grow this product and offer ideas and support where we can.
Cody
Betsworth22
on 21 May 2013
Accidentally closed this issue. Reopening.
Betsworth22
on 21 May 2013
Unfortunately this would really require join support on the Elasticsearch side. You can track the progress of that here: https://github.com/elasticsearch/elasticsearch/issues/6769
rashidkpc
on 7 Oct 2014
some information when this issue is going to be fix?
Bl4ckD4wn
on 2 Nov 2015
For those interested, we extended Matt Weber original PR https://github.com/elastic/elasticsearch/pull/3278 into a plugin and are maintaining a Kibana version that supports this (relational filters etc) please check http://siren.solution/kibi
it does have limitations, but within those, it works nicely
jccq
on 5 Jan 2016
Please note, myself and we at Elastic don't consider the Join support built on top of Matt Webber pull request (which ended up being copied by Kibi) to be correct implementation, which is the reason we did not pull it in at the end. The set of limitations it imposes ends up contradicting one of the most fundamental concepts we have in Elasticsearch, which is building features that scale.
@jccq I will mention this position in other threads, since there seem to be a flux of comments on several other GitHub issues and threads here, and I would appreciate slowing down on those.
kimchy
on 23 Oct 2016
@kimchy I'm pretty sure this is working some way or another in ELK6.
This can probably be closed for either being stale or for being implemented.
jstoja
on 29 Jun 2018
There hasn鈥檛 been active discussion on this issue for quite awhile. We鈥檙e doing a cleaning of our backlog. If you feel this closure is in error please feel free to reopen.
stacey-gammon
on 8 Aug 2018
Related issues
socialmineruser1
路
3Comments
timroes
路
3Comments
timroes
路
3Comments
stacey-gammon
路
3Comments
spalger
路
3Comments
Most helpful comment
Please note, myself and we at Elastic don't consider the Join support built on top of Matt Webber pull request (which ended up being copied by Kibi) to be correct implementation, which is the reason we did not pull it in at the end. The set of limitations it imposes ends up contradicting one of the most fundamental concepts we have in Elasticsearch, which is building features that scale.
@jccq I will mention this position in other threads, since there seem to be a flux of comments on several other GitHub issues and threads here, and I would appreciate slowing down on those.