Skip to content

Instantly share code, notes, and snippets.

@Condla

Condla/METRON_ES_TEMPLATE.md

Last active December 14, 2019 14:53
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
METRON_ES_TEMPLATE.md

Uploading an Elastic Search Template to Apache Metron

export ELASTICSEARCH_MASTER=condla0.field.hortonworks.com:9200
export PARSER_NAME=squid

# upload template
curl -X POST $ELASTICSEARCH_MASTER/_template/$PARSER_index -d @template.json
## expected output:
## {"acknowledged":true}

# check if correct template was created
curl -X GET $ELASTICSEARCH_MASTER/_template | python -m json.tool | grep squid
## expected output:
##     "squid_index": {
##         "squid_doc": {
##     "template": "squid_index*"
Raw
template.json
{
"template": "squid_index*",
"mappings": {
"squid_doc": {
"dynamic_templates": [
{
"geo_location_point": {
"match": "enrichments:geo:*:location_point",
"match_mapping_type": "*",
"mapping": {
"type": "geo_point"
}
}
},
{
"geo_country": {
"match": "enrichments:geo:*:country",
"match_mapping_type": "*",
"mapping": {
"type": "keyword"
}
}
},
{
"geo_city": {
"match": "enrichments:geo:*:city",
"match_mapping_type": "*",
"mapping": {
"type": "keyword"
}
}
},
{
"geo_location_id": {
"match": "enrichments:geo:*:locID",
"match_mapping_type": "*",
"mapping": {
"type": "keyword"
}
}
},
{
"geo_dma_code": {
"match": "enrichments:geo:*:dmaCode",
"match_mapping_type": "*",
"mapping": {
"type": "keyword"
}
}
},
{
"geo_postal_code": {
"match": "enrichments:geo:*:postalCode",
"match_mapping_type": "*",
"mapping": {
"type": "keyword"
}
}
},
{
"geo_latitude": {
"match": "enrichments:geo:*:latitude",
"match_mapping_type": "*",
"mapping": {
"type": "float"
}
}
},
{
"geo_longitude": {
"match": "enrichments:geo:*:longitude",
"match_mapping_type": "*",
"mapping": {
"type": "float"
}
}
},
{
"timestamps": {
"match": "*:ts",
"match_mapping_type": "*",
"mapping": {
"type": "date",
"format": "epoch_millis"
}
}
},
{
"threat_triage_score": {
"mapping": {
"type": "float"
},
"match": "threat:triage:*score",
"match_mapping_type": "*"
}
},
{
"threat_triage_reason": {
"mapping": {
"type": "text",
"fielddata": "true"
},
"match": "threat:triage:rules:*:reason",
"match_mapping_type": "*"
}
},
{
"threat_triage_name": {
"mapping": {
"type": "text",
"fielddata": "true"
},
"match": "threat:triage:rules:*:name",
"match_mapping_type": "*"
}
}
],
"properties": {
"timestamp": {
"type": "date",
"format": "epoch_millis"
},
"source:type": {
"type": "keyword"
},
"ip_dst_addr": {
"type": "ip"
},
"ip_dst_port": {
"type": "integer"
},
"ip_src_addr": {
"type": "ip"
},
"ip_src_port": {
"type": "integer"
},
"action": {
"type": "keyword"
},
"bytes": {
"type": "integer"
},
"code": {
"type": "integer"
},
"elapsed": {
"type": "integer"
},
"method": {
"type": "keyword"
},
"url": {
"type": "keyword"
},
"metron_alert": {
"type": "nested"
},
"guid": {
"type": "keyword"
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment