Please enable JavaScript.

Coggle requires JavaScript to display documents.

ELK - Coggle Diagram

- - - - Documents are the things you're searching for. They can be any structured JSON. Every document has a unique ID.
      - Elasticsearch document would be analogous to SQL row
    - - An index powers search into all documents within a collection of types.
      - Index contain inverted indices that allow search across everything within them at once, and mappings that define schemas for the data within.
      - Elasticsearch index would be analogous to SQL table
      - Inverted index
        
        The purpose of an inverted index, is to store text in a structure that allows for very efficient and fast full-text searches. When performing full-text searches, we are actually querying an inverted index and not the JSON documents that we defined when indexing the documents
    - - Mapping is a schema definition
      - Elasticsearch has reasonable defaults to map our data into the right type, however, there are situations where we need to be explicit.
      - Maps can define field types (date, integer, float, etc)
      - Maps can also define if fields should be indexed for full-text search
      - Maps can also define analyzers
        
        Character filter
        
        e.g. Remove HTML encoding
        
        Tokenizer
        
        Split string based on white space, punctuation, etc
        
        Token filter
        
        lowercasing, steeming, stop words, synonyms
  - - - Documents are hashed to a particular shared
      - Each shard may be on a different node in a cluster
      - Every shard is a self-contained Lucene index of its own.
    - - Affect the scalability of write requests
    - - Affects the scalability of read requests
  - - - Minimizes storage space, make it easy to change data
      - However, requires multiple queries to 'join' information
    - - Information is duplicated, but only one query
    - - Set mapping relationship
      - Use queries with has_child or has_parent
  - - - Fields of the flattened data type will be treated as keywords (no analyzers or tokenizers). For instance, it is not possible to perform partial match.
  - - - It is not possible to sort by analyzed fields. Workaround: map the field also a 'raw' subfield with type 'keyword'.
    - - Levenshtein distance
        
        Implemented with parameter 'fuzziness'
        
        Fuzziness: AUTO
        
        0 for 1-2 character strings
        
        1 for 3-5 character strings
        
        2 for anything else
- - - - https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm