-
|
I am visualising IDS alerts. Fist aggregation is easy: term: { field: alert.signature.keyword } metric count For the next two columns I want the the number of unique src and dest IP addresses. I have a dsql query that produces the data but I can't figure out how to do this in kibaba:
so a line in the table would look like: Signature Count src dst ET DOS Potential CLDAP Amplification Reflection 23 1 23 ET POLICY PE EXE or DLL Windows file download HTTP 18 ET POLICY Vulnerable Java Version 11.0.x Detected 14 ET P2P BitTorrent DHT ping request 12 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
let's have another go at that table! Signature Count src IPs dst IPs ET DOS Potential CLDAP Amplification Reflection 23 1 23 ET POLICY PE EXE or DLL Windows file download HTTP 18 ..... ET POLICY Vulnerable Java Version 11.0.x Detected 14 ET P2P BitTorrent DHT ping request 12 |
Beta Was this translation helpful? Give feedback.
-
|
To do equivalent of “cardinality aggregation” in kibana, use “Unique count” metric. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! I completely missed that. Not helped by the fact that I was trying to use split rows to add the columns to the table and I was looking for the aggs there. |
Beta Was this translation helpful? Give feedback.
To do equivalent of “cardinality aggregation” in kibana, use “Unique count” metric.