如何在 Kibana 中取消过滤器查询
How to negate filter query in Kibana
我正在使用 ELK 堆栈,我正在尝试了解如何可视化除来自特定 IP 范围(例如 10.0.0.0/8)的日志之外的所有日志。有什么方法可以否定过滤器查询:
{"wildcard":{"src_address":"10.*"}}
我把它放到 Buckets -> Split Bars -> Aggregation -> Filters 我想否定这个查询所以我得到了除了 10.0.0.0/8 之外的所有日志
这是整个 JSON 请求:
{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "low_level_category:\"user_authentication_failure\" AND NOT src_address:\"10.*\"",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": 1474384885044,
"lte": 1474989685044,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"size": 0,
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "3h",
"time_zone": "Europe/Berlin",
"min_doc_count": 200,
"extended_bounds": {
"min": 1474384885043,
"max": 1474989685043
}
},
"aggs": {
"3": {
"terms": {
"field": "src_address.raw",
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
谢谢
您可以在 Kibana 搜索框中输入此内容,它应该会为您提供所需的内容:
NOT src_address:10.*
我正在使用 ELK 堆栈,我正在尝试了解如何可视化除来自特定 IP 范围(例如 10.0.0.0/8)的日志之外的所有日志。有什么方法可以否定过滤器查询:
{"wildcard":{"src_address":"10.*"}}
我把它放到 Buckets -> Split Bars -> Aggregation -> Filters 我想否定这个查询所以我得到了除了 10.0.0.0/8 之外的所有日志
这是整个 JSON 请求:
{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "low_level_category:\"user_authentication_failure\" AND NOT src_address:\"10.*\"",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": 1474384885044,
"lte": 1474989685044,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"size": 0,
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "3h",
"time_zone": "Europe/Berlin",
"min_doc_count": 200,
"extended_bounds": {
"min": 1474384885043,
"max": 1474989685043
}
},
"aggs": {
"3": {
"terms": {
"field": "src_address.raw",
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
谢谢
您可以在 Kibana 搜索框中输入此内容,它应该会为您提供所需的内容:
NOT src_address:10.*