Migrating from Scrutinizer to Elastiflow

[jjfaulk1967]

Hello all. We have been using a commercial product call Scrutinizer for the last couple of years. Our support contract has expired and we have decided to give Elastiflow a try. I have just setup our server cluster, installed Elastiflow, and started collecting flows.

I am still very much in the process of learning how to use Kibana. Currently I am stuck performing a discovery that I could perform in Scrutinizer. What I am trying to do is filter based upon a single exporter (Cisco switch), one of it's interfaces, but for both ingress and egress flows. Then I want to visualize the results.

Of all the fields that I see in the netflow messages from my Cisco switch, I only see flow.input.ifname and flow.output.ifname. I don't see anything like flow.ifname or just ifname.

So far I have tried the following using the 'Add filter' button.

event.host:switch, flow.direction is one of ingress,egress.

This works but when i add flow.input.ifname: interface1, the result are for only ingress flows. If I add another filter of flow.output.ifname:interface1, I get no results. This makes sense to me because the results have already been filtered for flow.input. How do I do a logical AND or OR?

thanks

[robcowart]

You can do such a search in the query bar...