how to filter for CIDR on ELK 7.9.1, Elastiflow 4.0.1

robcowart / elastiflow

Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack

Other

2.49k stars 598 forks source link

how to filter for CIDR on ELK 7.9.1, Elastiflow 4.0.1 #681

Closed espi23 closed 3 years ago

espi23 commented 3 years ago

Hi,

I tried checking conn.src_addr (https://github.com/robcowart/elastiflow/issues/382) ; flow.client_addr or flow.dst_addr (https://github.com/robcowart/elastiflow/issues/433), but unable to check any fields and value, I would like to ask some assistance on how do I filter for CIDR on ELK 7.9.1, Elastiflow 4.0.1

Thanks

robcowart commented 3 years ago

The issues you linked to are just examples of how to do IP-related queries. However you have to use a field that is in the data. Since ElastiFlow 4.0.x uses Elastic Common Schema, examples of such fields are source.ip and destination.ip.

espi23 commented 3 years ago

Thanks for the quick reply,