1

With ELK (Elasticsearch-Logstash-Kibana) stack, I collect syslog logs from *nix boxes to Logstash and send it to Kibana via Elasticsearch. This is classical one scenario.

My syslog log includes normal system events, squid access log, captiveportal login logs etc. captiveportal logged as 

1423548430 2582 192.168.1.23 xx:ae:xx:e1:xx:99 mike.brown cc9aeb1210b39571 MTI= first

and

squid access logs logged as:

1423562965.228    482 192.168.1.23 TCP_MISS/200 1254 POST http://ad4.liverail.com/? - DIRECT/31.13.93.12 text/xml

In Logstash, I have filtered captive portal log, and I have got client_ip="192.168.1.23", user_name="mike.brown" and also in different filter in Logstash configuration I have also filtered squid access log, and I have got src_ip="192.168.1.23".

My question is: How can I query to get user_name where client_ip of squid access log equals to src_ip of captive portal in Kibana?

Val
  • 207,596
  • 13
  • 358
  • 360
hakansel
  • 33
  • 8

1 Answers1

1

You can't do joins in elasticsearch. They discuss a few of the options for relationships in this doc.

Alain Collins
  • 16,268
  • 2
  • 32
  • 55
  • Is this weakness of the elasticsearch? I think so, and weird thing is you have data but you can not query it. Thanks. – hakansel Feb 11 '15 at 08:08
  • I think of it as a document store, not a database. Do you fault a bicycle for not being able to bake bread? – Alain Collins Feb 11 '15 at 18:03
  • Could you extend the answer a little more? It matters to me (http://stackoverflow.com/questions/33549171/correlate-messages-in-elk-by-field) – AMS Nov 06 '15 at 15:04