Hello,
I’m not sure if it’s a bug or I’m just doing something wrong but I every time I create an index alias for example:
I have four indexes called logstash-12-14-2222, logstash-12-13-2222, logstash-12-12-2222, logstash-12-11-20222. Instead of importing each one individually into siren, I added logstash-*. It works in the sense that I can search the information from the dashboard but when I create relationships and drag it to the graph it doesn’t work.
Even when I enter an ip address into the graph and I click expand, nothing. I see there are 200 results but nothing happens on the graph itself.
Hope you have an idea of what’s going on.
Thanks.
Hi James,
Can you please confirm the Investigate and federate version you are using?
Also please provide some sample records and relation you have created.
Regards
Manu Agarwal
Hey,
Investigate: 12.1.2
Federate 7.17.6-28.1
I have multiple logs for example:
{
“@timestamp” => 2022-12-09T01:19:20.071Z,
“offset” => 121,
“@version” => “1”,
“logstash” => {
“name” => “MacBook-Pro.local”,
“hostname” => “MacBook-Pro.local”,
“version” => “6.0.0”
},
“host” => “MacBook-Pro.local”,
“prospector” => {
“type” => “log”
},
“input” => {
“type” => “log”
},
“source” => “/root/logstash-tmp.log”,
“response” => “200”,
“bytes” => “203023”,
“clientip” => “127.0.0.1”,
“device” => “Macintosh”,
“message” => “1.93.9.23 - - [04/Jan/2015:05:13:42 +0000] "GET /tmp/logstash-tmp/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/\” "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36""
}
I have the host connected to a host, IP, domain, device type as entity identifiers. When I search for the IP or domain for example I see I have twenty records but when I click expand nothing happens.
Again, that only happens when I have the logstash-* as the index. When I add each index separately, ie.e. logstash-12-14-2222, logstash-12-13-2222, logstash-12-12-2222, everything works fine.
Hi James,
Can you please cross check the mapping for all the 4 indices are same? If the mapping is different then it can create an issue while expanding the graph nodes.
We tried to replicate it on our side but we didn’t find any issue if the mapping are same.
Regards
Manu Agarwal