The "port:XXX AND port:XXY AND port:XXZ" will give you the results, you can then agg on IP on top of that.
I'd suggest you install Kibana4 and then get a table/chart that gives you the output you want and then use the inspect functionality (the I on a panel) to see the query it used to get the data. On 6 March 2015 at 22:32, horst knete <[email protected]> wrote: > Hey guys, > > we are acutally setting up some security relevant searches in our > ES-database and came over the following case, which i dont get managed by > myself: > > We want to make an query, that checks if a IP-address is accessing > different ports in a given amout of time. > > So what we basically need to do is, make a terms aggregation on a field > called "remote_ip" and match the terms with an filter/query like "port:XXX > AND port:XXY AND port:XXZ" but that query must go over different logs > (port:XXX is in log1, port:XXZ is in log2). > > So that query should return all remote_ips that have accessed all 3 ports > in the given time. > > I really struggle with that log-comprehensive searches, cause im not that > fit in aggregation yet. > > Some tipps would be really appreciated. > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/220ed49b-5cf6-45cf-879b-10acecacc36e%40googlegroups.com > <https://groups.google.com/d/msgid/elasticsearch/220ed49b-5cf6-45cf-879b-10acecacc36e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X-tr6vBSeRLnCdCOFxecuH3qi3%2BBk4MG%3D%3Dw7%2BVL7FW%3DgA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
