Skip to content

Instantly share code, notes, and snippets.

@rylnd

rylnd/example.http

Last active May 3, 2023 22:07
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rylnd/94c56794c9a5027c4c9d7740d0dd43ac to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rylnd/94c56794c9a5027c4c9d7740d0dd43ac to your computer and use it in GitHub Desktop.
Download ZIP
Aggregate over multiple types of documents, grouping by common fields
Raw
example.http
GET risk_score,watchlist/_search
{
"size": 0,
"aggs": {
"identities": {
"composite": {
"sources": [
{
"identityField": {
"terms": {
"field": "identifierType"
}
}
},
{
"identityValue": {
"terms": {
"field": "identifierValue"
}
}
}
]
},
"aggs": {
"watchlists": {
"filter": {
"term": {
"_index": "watchlist"
}
},
"aggs": {
"newest_watchlists": {
"top_hits": {
"size": 2,
"sort": [
{
"@timestamp": "desc"
}
]
}
}
}
},
"risk_scores": {
"filter": {
"term": {
"_index": "risk_score"
}
},
"aggs": {
"latest_scores": {
"top_hits": {
"size": 2,
"sort": [
{
"@timestamp": "desc"
}
]
}
}
}
}
}
}
}
}
Raw
example_with_sorting.http
// group by identity, sort by risk score.
// Downside: buckets without a risk score appear first
// Downside: can't paginate the aggregation
GET risk_score,watchlist/_search
{
"size": 0,
"aggs": {
"identities": {
"multi_terms": {
"terms": [
{
"field": "identifierType"
},
{
"field": "identifierValue"
}
],
"order": {
"risk_scores>top.riskScore": "desc"
}
},
"aggs": {
"risk_scores": {
"filter": {
"exists": {
"field": "riskScore"
}
},
"aggs": {
"top": {
"top_metrics": {
"metrics": {
"field": "riskScore"
},
"sort": {
"@timestamp": "desc"
}
}
}
}
}
}
}
}
}
Raw
setup.http
PUT risk_score
{
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"identifierType": {
"type": "keyword"
},
"identifierValue": {
"type": "keyword"
},
"riskScoreLevel": {
"type": "keyword"
},
"riskScore": {
"type": "float"
}
}
}
}
PUT watchlist
{
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"identifierType": {
"type": "keyword"
},
"identifierValue": {
"type": "keyword"
},
"criticalityLevel": {
"type": "keyword"
}
}
}
}
POST _bulk
{ "index" : { "_index" : "risk_score" } }
{ "identifierType": "host", "identifierValue": "host 1", "riskScoreLevel": "Low", "riskScore": 0.2, "@timestamp": 1682082684420 }
{ "index" : { "_index" : "risk_score" } }
{ "identifierType": "host", "identifierValue": "host 2", "riskScoreLevel": "High", "riskScore": 0.8, "@timestamp": 1682082684420 }
{ "index" : { "_index" : "risk_score" } }
{ "identifierType": "host", "identifierValue": "host 3", "riskScoreLevel": "High", "riskScore": 0.8, "@timestamp": 1682082684420 }
POST _bulk
{ "index" : { "_index" : "watchlist" } }
{ "identifierType": "host", "identifierValue": "host 2", "criticalityLevel": "High", "@timestamp": 1682082684420 }
{ "index" : { "_index" : "watchlist" } }
{ "identifierType": "host", "identifierValue": "host 3", "criticalityLevel": "High", "@timestamp": 1682082684420 }
{ "index" : { "_index" : "watchlist" } }
{ "identifierType": "host", "identifierValue": "host 4", "criticalityLevel": "Low", "@timestamp": 1682082684420 }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment