I am trying to make splunk like searchs in Kibana, but can’t figure out how the syntax works.
I have alert.signature == myalert, with http.hostname == somedomain.
In bro, I rewrote host to http_host, and want to see the intersection of:
conn.log (conn id)
http.log (http.hostname from suricata events linked to http_host bro events here)
alert.signature (from suricata events)
So the result would be in a table I would hope, or soething like that:
http_host, http.http_content_type, http.http_method, http.http_user_agent, http.http_response_body_printable, payload_printable, fileinfo.filename, dest_ip, src_ip, conn_id
Drop down events like what you normally get would be fine as well. Hope this helps explain what I am trying to do. I am still struggling with lucerne search syntax and the front end.