I was able to successfully add Elasticsearch as a data source. I have tried using tons of different metrics.
Here is a query example:
xhrStatus:“complete”
request:Object
method:“POST”
url:“api/datasources/proxy/3/_msearch”
data:“{“search_type”:“query_then_fetch”,“ignore_unavailable”:true,“index”:[“firepower-2018.09.27”],“max_concurrent_shard_requests”:256} {“size”:0,“query”:{“bool”:{“filter”:[{“range”:{”@timestamp":{“gte”:“1538048786192”,“lte”:“1538070386192”,“format”:“epoch_millis”}}},{“query_string”:{“analyze_wildcard”:true,“query”:“classification:Potentially Bad Traffic”}}]}},“aggs”:{“3”:{“terms”:{“field”:“dstIP.keyword”,“size”:10,“order”:{“_term”:“desc”},“min_doc_count”:1},“aggs”:{}}}} "
response:Object
responses:Array[1]
0:Object
took:1
timed_out:false
_shards:Object
total:5
successful:5
skipped:0
failed:0
hits:Object
total:0
max_score:0
hits:Array[0]
aggregations:Object
3:Object
doc_count_error_upper_bound:0
sum_other_doc_count:0
buckets:Array[0]
status:200
I am seeing the fields in the grouping options, so I know my data connection works. I can never get anything to show up in any panel types.
I just want a list of the top srcIPs grouped together. This is quite easy to accomplish in Kibana.