Created
January 4, 2019 19:55
-
-
Save FrankHassanabad/8d48eb55869ebdafec8b8a55a8d2b3f6 to your computer and use it in GitHub Desktop.
ES Query Snippets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Full text queries | |
| # | |
| # Match all | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "match_all": {} | |
| } | |
| } | |
| # Match a single query | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "match": { | |
| "process.name": { | |
| "query": "java" | |
| } | |
| } | |
| } | |
| } | |
| # Match a phrase | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "match_phrase" : { | |
| "process.name" : "java" | |
| } | |
| } | |
| } | |
| # Simple average using size: 0 so that results are not returned | |
| GET /auditbeat-*/_search | |
| { | |
| "size": 0, | |
| "aggs": { | |
| "avg_port_number": { | |
| "avg": { | |
| "field": "source.port" | |
| } | |
| } | |
| } | |
| } | |
| # Cardinality using size: 0 so that results are not returned | |
| # Count the number of process names | |
| GET /auditbeat-*/_search | |
| { | |
| "size": 0, | |
| "aggs": { | |
| "type_count": { | |
| "cardinality": { | |
| "field": "process.name" | |
| } | |
| } | |
| } | |
| } | |
| # Term aggregations using size: 0 so that results are not returned | |
| GET /auditbeat-*/_search | |
| { | |
| "size": 0, | |
| "aggs": { | |
| "processes": { | |
| "terms": { | |
| "field": "process.name" | |
| } | |
| } | |
| } | |
| } | |
| # Term aggregations using size: 0 so that results are not returned | |
| GET /auditbeat-*/_search | |
| { | |
| "size": 0, | |
| "aggs": { | |
| "processes": { | |
| "terms": { | |
| "field": "host.id" | |
| } | |
| } | |
| } | |
| } | |
| # Match with lucene type syntax | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "query_string" : { | |
| "default_field" : "process.name", | |
| "query" : "(sshd)" | |
| } | |
| } | |
| } | |
| # Example fields query (lucene type syntax) | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "query_string" : { | |
| "fields" : ["process.name"], | |
| "query" : "(sshd)" | |
| } | |
| } | |
| } | |
| # Example NOT with AND (lucene type syntax) | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "query_string" : { | |
| "default_field" : "process.name", | |
| "query" : "NOT java AND NOT google_accounts" | |
| } | |
| } | |
| } | |
| # | |
| # Term queries | |
| # | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "term" : { "process.name" : "java" } | |
| } | |
| } | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "terms" : { "process.name" : ["java", "sshd"] } | |
| } | |
| } | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "range" : { | |
| "age" : { | |
| "gte" : 10, | |
| "lte" : 20, | |
| "boost" : 2.0 | |
| } | |
| } | |
| } | |
| } | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "range" : { | |
| "destination.port" : { | |
| "gte" : 5000, | |
| "lte" : 6000 | |
| } | |
| } | |
| } | |
| } | |
| # Exists | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "exists": { "field": "process.name" } | |
| } | |
| } | |
| # Count | |
| GET /auditbeat-*/_count | |
| { | |
| "query": { | |
| "exists": { "field": "process.name" } | |
| } | |
| } | |
| # Exists with multiple fields | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "bool": { | |
| "should": [{ | |
| "exists": { | |
| "field": "process.name" | |
| } | |
| }, { | |
| "exists": { | |
| "field": "process.exe" | |
| } | |
| }, { | |
| "exists": { | |
| "field": "process.title" | |
| } | |
| }] | |
| } | |
| } | |
| } | |
| # Not exists | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "bool": { | |
| "must_not": { | |
| "exists": { | |
| "field": "process.name" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # Prefix query | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "prefix": { | |
| "process.name": "j" | |
| } | |
| } | |
| } | |
| # Prefix query with not | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "bool": { | |
| "must_not": { | |
| "prefix": { | |
| "process.name": "j" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # wild card | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "wildcard": { | |
| "process.name": "j*a" | |
| } | |
| } | |
| } | |
| # wild card get only a few source files and filter only | |
| # on python for the process | |
| GET /auditbeat-*/_search | |
| { | |
| "size": 100, | |
| "_source": ["process.exe", "process.name", "process.pid"], | |
| "query": { | |
| "wildcard": { | |
| "process.exe": "*python*" | |
| } | |
| } | |
| } | |
| # Regular Expression | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "regexp": { | |
| "process.name": "j.*a" | |
| } | |
| } | |
| } | |
| # Fuzzy query | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "fuzzy": { | |
| "process.name": "jaba" | |
| } | |
| } | |
| } | |
| # type query (deprecated) | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "type" : { | |
| "value" : "_doc" | |
| } | |
| } | |
| } | |
| # Query by a specific id. It uses the _id field | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "ids": { | |
| "type": "_doc", | |
| "values": [ | |
| "qgD5hWcB0WOhS6qy4Sj-", | |
| "sAD5hWcB0WOhS6qy4Sj-" | |
| ] | |
| } | |
| } | |
| } | |
| # query must | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "bool": { | |
| "must": { | |
| "term": { | |
| "process.name": "java" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # query filter | |
| GET /auditbeat-*/_search | |
| { | |
| "sort" : [ | |
| { "@timestamp" : {"order" : "asc"}}, | |
| ], | |
| "query": { | |
| "bool": { | |
| "filter": { | |
| "term": { | |
| "process.name": "java" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # query filter with sort added | |
| GET /auditbeat-*/_search | |
| { | |
| "sort": [ | |
| { | |
| "@timestamp": { | |
| "order": "asc" | |
| } | |
| } | |
| ], | |
| "query": { | |
| "bool": { | |
| "filter": { | |
| "term": { | |
| "process.name": "java" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # query filter with the _name | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "bool": { | |
| "filter": { | |
| "terms": { | |
| "process.name": [ | |
| "java", "sshd" | |
| ], | |
| "_name": "process name" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # painless script | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "bool": { | |
| "filter": { | |
| "script": { | |
| "script": { | |
| "source": "doc['host.name'].value == 'siem-general'", | |
| "lang": "painless" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # painless script with scripted fields | |
| GET /auditbeat-*/_search | |
| { | |
| "query": { | |
| "match_all": {} | |
| }, | |
| "script_fields": { | |
| "test1": { | |
| "script": { | |
| "lang": "painless", | |
| "source": "doc['source.ip']" | |
| } | |
| } | |
| } | |
| } | |
| # Aggregate where I'm querying a process executable first and then a host id second | |
| GET /auditbeat-*/_search | |
| { | |
| "size": 0, | |
| "aggs": { | |
| "processes": { | |
| "terms": { | |
| "field": "process.name" | |
| }, | |
| "aggs": { | |
| "hosts": { | |
| "terms": { | |
| "field": "host.id" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| GET /auditbeat-*/_search | |
| { | |
| "size": 0, | |
| "aggs": { | |
| "process_count": { | |
| "cardinality": { | |
| "field": "process.name" | |
| } | |
| }, | |
| "processes": { | |
| "terms": { | |
| "field": "process.name", | |
| "order": [ | |
| { | |
| "_count": "asc" | |
| }, | |
| { | |
| "_key": "asc" | |
| } | |
| ] | |
| }, | |
| "aggs": { | |
| "process": { | |
| "top_hits": { | |
| "size": 1, | |
| "_source": [ | |
| "process.title", | |
| "process.name" | |
| ] | |
| } | |
| }, | |
| "hosts": { | |
| "terms": { | |
| "field": "host.id" | |
| }, | |
| "aggs": { | |
| "host": { | |
| "top_hits": { | |
| "size": 1, | |
| "_source": [ | |
| "host.name" | |
| ] | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # | |
| # Mappings | |
| # | |
| GET /auditbeat-*/_mapping |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment