Community ID processor
Community ID processor
Computes the Community ID for network flow data as defined in the Community ID Specification. You can use a community ID to correlate network events related to a single flow.
The community ID processor reads network flow data from related Elastic Common Schema (ECS) fields by default. If you use the ECS, no configuration is required.
Table 7. Community ID Options
Name | Required | Default | Description |
---|---|---|---|
| no |
| Field containing the source IP address. |
| no |
| Field containing the source port. |
| no |
| Field containing the destination IP address. |
| no |
| Field containing the destination port. |
| no |
| Field containing the IANA number. |
| no |
| Field containing the ICMP type. |
| no |
| Field containing the ICMP code. |
| no |
| Field containing the transport protocol. Used only when the |
| no |
| Output field for the community ID. |
| no |
| Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme. |
| no |
| If |
| no | - | Description of the processor. Useful for describing the purpose of the processor or its configuration. |
| no | - | Conditionally execute the processor. See Conditionally run a processor. |
| no |
| Ignore failures for the processor. See Handling pipeline failures. |
| no | - | Handle failures for the processor. See Handling pipeline failures. |
| no | - | Identifier for the processor. Useful for debugging and metrics. |
Here is an example definition of the community ID processor:
{
"description" : "...",
"processors" : [
{
"community_id": {
}
}
]
}
When the above processor executes on the following document:
{
"_source": {
"source": {
"ip": "123.124.125.126",
"port": 12345
},
"destination": {
"ip": "55.56.57.58",
"port": 80
},
"network": {
"transport": "TCP"
}
}
}
It produces this result:
"_source" : {
"destination" : {
"port" : 80,
"ip" : "55.56.57.58"
},
"source" : {
"port" : 12345,
"ip" : "123.124.125.126"
},
"network" : {
"community_id" : "1:9qr9Z1LViXcNwtLVOHZ3CL8MlyM=",
"transport" : "TCP"
}
}