Hello,
I have logs in two index,
Index=flow_log
Fields required,
src_ip, src_port, dest_ip, dest_port, network interface
Index=config
src_ip, network interface, security group ID , security group name
In both the index src_ip and network interface information are common, I wanted to make a dashboard with these index and below fields. how do I combine these different fields in one dashboard.
network interface src_ip src_port dest_ip dest_port security group id security group name.
Please help.
Search both indexes then use the stats command to group the results by the common fields.
index=flow_log OR index=config
| stats values(*) as * by network_interface src_ip
| table network_interface src_ip src_port dest_ip dest_port security_group_id security_group_name
Hello richgalloway,
Thanks you for your quick response!
I am getting below result in table,
network_interface src_ip src_port dest_ip dest_port
Below fields are blank, these fields are only available in config index.
security_group_id security_group_name
Double-check the field names. I took the liberty of replacing spaces in the OP with underscores, but if the real field names are different then the query will have to be updated to match reality.
The field names are correct but while table the result it come blank.
If the fields are empty then there is no value for that src_ip/network_interface pair in the config index.
If you sort on the security_group_name and/or security_group_id fields do you see any values? If you do then check the src_ip and network_interface values to make sure the same values are present in both indexes.