Kibana: Use indexed formatter to explore IP information

December 11, 2023

by Alexis Thompson

No Comments

In the following previous articles, I have shown the power of index schema formatter:

Kibana: Deep analysis of data in Kibana (Drilldown)
Kibana: Customize the Time Picker and metrics visual display format in Kibana

In many queries in Kibana, we often come across information that shows the IP address. The IP address can appear on the Discover page or in a table. Suppose we want to know if the IP address is a malicious site, or if we want to know more about the site. We can find this information on many websites, we can copy and paste the way to do this, such as the website tools.keycdn.com/geo?host=13… We can view the information of IP address 139.162.67.103:

In our Kibana, IP is usually presented in this form:

The IP address above is displayed in a text format. Is there a way to click on the IP address directly to launch the site and display the results?

The answer is yes. In the previous article, I showed that you can change the display of a field by using the Index Pattern formatter.

To prepare data

Open the Kibana interface:

Click on the Add data:

Now our sample data is imported into Elasticsearch.

Click on the Discover:

We select the index we want, kibanA_SAMPLE_DATA_LOGS, and select the corresponding time picker selection. Click the Add button above:

Click the Add button above. So we display the host and IP table:

As you can see above, our IP address doesn’t have a hyperlink that we can click on.

Use Index pattern formatter to format the display

Our next goal is to turn our IP address into a hyperlink. When we click on the hyperlink, we launch the tools.keycdn.com/ service and query our IP.

Open Kibana Stack Management:

Click on the kibanA_sample_datA_logs index above:

Click on the edit icon above:

Select the url:

We put tools.keycdn.com/geo?host={{value}} in the appropriate position and save.

This completes the display configuration for the IP field.

Let’s go back to the Discover page:

At this point, we can see that the IP address is a hyperlink. We can click on this link:

Another browser window is launched. We can view the details of this IP address.