Skip to content

Instantly share code, notes, and snippets.

@drolfe

drolfe/es-query.rb

Created June 13, 2016 17:18
Show Gist options
  • Save drolfe/e3ad18d92aa41b762d3c85507971266e to your computer and use it in GitHub Desktop.
Save drolfe/e3ad18d92aa41b762d3c85507971266e to your computer and use it in GitHub Desktop.
Download ZIP
Query ElasticSearch via Ruby
Raw
es-query.rb
#!/usr/bin/ruby
require 'json'
require 'elasticsearch'
#My complex ES query, Basically detects port scanning via our network sflow data
json_search = '{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"query": {
"query_string": {
"query": "*",
"analyze_wildcard": true
}
}
},
{
"range": {
"@timestamp": {
"gt": "now-48h"
}
}
}
],
"must_not": []
}
}
}
},
"size": 0,
"aggs": {
"3": {
"terms": {
"field": "sflow_tcp_dst_port",
"size": 5,
"order": {
"2": "desc"
}
},
"aggs": {
"2": {
"cardinality": {
"field": "sflow_ipv4_dst"
}
},
"4": {
"terms": {
"field": "sflow_ipv4_src",
"size": 5,
"order": {
"2": "desc"
}
},
"aggs": {
"2": {
"cardinality": {
"field": "sflow_ipv4_dst"
}
}
}
}
}
}
}
}'
#Connect to ES
client = Elasticsearch::Client.new host: '192.168.10.101', log: true
client.transport.reload_connections!
#Run the search off above JSON data
req = client.search body: JSON.parse(json_search)
#Test working with returned HASH
req['aggregations']['3']['buckets'].each do |level1|
puts "\n\nStats for Port Number #{level1['key']}"
level1['4']['buckets'].each do |level2|
puts "Host #{level2['key_as_string']} has connected to #{level2['2']['value']} uniq destinations"
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment