Setting the Time Period

Kibana displays events from the last 15 minutes by default. We're going to need a little more data than that!

  1. Click on the 'Last 15 minutes' in the top-right corner
  2. Select 'Last 5 Years' from the drop down menu

The phone subscriber dataset has entries older than 5 years. You may need to select a longer period for browsing phone_subscriber_info-*

Selecting a Dataset

Click on the dropdown menu on the top left of the page (just below the search bar) to select your dataset. There should be four listed:

Making a Simple Query

Once the dataset and the time period is selected, your main window should be similar to the screenshot below.

The search bar is located on the top and the search results are displayed in the middle. By default, Kibana puts a * in the search field, which means it searches for everything. This is called the 'wildcard' search operator.

You can submit a search by entering your keywords in the search bar. You can simply enter any keyword, or search in a specific field. In this case, we are searching for a specific IP address:

Making Advanced Queries

You can enter multiple keywords and use search operators to define a relationship between them.

The default is OR. On the screenshot below, we explicity added AND to search for a specific IP and email address.

Displaying Results

By default, Kibana displays each field. To make the results more readable, you can select the relevant fields to display.

Hover on a field on the left-hand side and click add. This will add the field as a column in the results window. You may select multiple fields to display multiple columns.

Link Analysis

To solve the fifth challenge, you will need to use Graph to perform link analysis on the telephone call logs. First, click on the icon next to Settings and select Graph from the drop-down menu.

Once Graph is opened, you need to select the appropriate dataset. Click on the drop-down menu and select logstash-phone_metadata_log-*

Then click on the Erinmeyer flask icon on the right

Click on Fields and select the field name you would like to search on. In this example, we select subscriber_phone_number.keyword and dialled_number.keyword

Make sure you always select the field name ending .keyword

Then you can use the search box for visualising your datasets. In this example, we used "*" as a search string instead of a phone number.