Adding a Table to Display Source IP Addresses by Events/Day
To add a table that groups the source IP addresses by events/day to your custom dashboard:
-
Click the Visualize menu and locate the Custom menu block.
-
Click the dashboard you want to edit. The dashboard appears.
-
Click Edit. The display switches to the editing canvas.
-
Click New table. The Chart Builder dialog box appears.
-
Enter the Chart Name. Ours is Top 5 Source IPs per Day. This field does not support multibyte characters.
Special characters are not permitted in name fields for Queries, Lookup lists, or Reports/Dashboards. Letters, underscores, spaces, dashes, numbers and periods are permitted.
-
Choose the Tenant. We chose All Tenants.
-
Choose the Indices. We chose Security Events.
-
Leave the query as None. The query is optional.
-
Choose Groupings for the Table Type.
-
Click Next. The Groupings tab appears.
-
Click + Add Grouping twice to add a total of three groupings. The groupings are processed sequentially, and you can move them to change the configuration.
-
Open the Column 1 grouping.
-
Enter a better Column Label. We chose Date.
-
For the remaining fields:
-
Aggregation: Date Histogram
-
Field: timestamp
-
Interval Time: 1
-
Interval Unit: Day
-
-
Open the Column 2 grouping.
-
Enter a Column Label. We chose Source IP Address.
-
For the remaining fields:
-
Aggregation: Term
-
Field: srcip
-
Metric: Count
-
Order: Descending
-
Size: 5
-
-
Open the Column 3 grouping.
-
Enter a Column Label. We chose Number.
-
For the remaining fields:
-
Aggregation: Metric
-
Metric: Count
-
-
Click Next. The Options tab appears.
-
Click Submit. The table is added and the editing canvas appears.
-
Click Save. The dashboard appears with your new table.
