Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to negate filter query in Kibana

I'm using ELK stack and I'm trying to find out how to visualize all logs except of those from specific IP ranges (for example 10.0.0.0/8). Is there any way how to negate filter query:

{"wildcard":{"src_address":"10.*"}}

I put it to Buckets -> Split Bars -> Aggregation -> Filters and I would like to negate this query so I got all logs except of those from 10.0.0.0/8

This is the whole JSON request:

    {
      "query": {
        "filtered": {
          "query": {
            "query_string": {
              "query": "low_level_category:\"user_authentication_failure\" AND NOT src_address:\"10.*\"",
              "analyze_wildcard": true
            }
          },
          "filter": {
            "bool": {
              "must": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": 1474384885044,
                      "lte": 1474989685044,
                      "format": "epoch_millis"
                    }
                  }
                }
              ],
              "must_not": []
            }
          }
        }
      },
      "size": 0,
      "aggs": {
        "2": {
          "date_histogram": {
            "field": "@timestamp",
            "interval": "3h",
            "time_zone": "Europe/Berlin",
            "min_doc_count": 200,
            "extended_bounds": {
              "min": 1474384885043,
              "max": 1474989685043
            }
          },
          "aggs": {
            "3": {
              "terms": {
                "field": "src_address.raw",
                "size": 5,
                "order": {
                  "_count": "desc"
                }
              }
            }
          }
        }
      }
    }

Thanks

like image 270
Majzlik Avatar asked Sep 27 '16 14:09

Majzlik


Video Answer


1 Answers

You can input this in the Kibana search box and it should get you what you need:

NOT src_address:10.*
like image 110
Val Avatar answered Oct 24 '22 04:10

Val