berggren/example_index_analyzer.py

## example_index_analyzer.py
"""TheIndexAnalyzer."""
from __future__ import unicode_literals

from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager


class TheIndexAnalyzer(interface.BaseIndexAnalyzer):
    """The Index Analyzer."""

    NAME = 'TheIndexAnalyzer'

    def __init__(self, index_name):
        """Initialize the Index Analyzer.

        Args:
            index_name: Elasticsearch index name
        """
        super(TheIndexAnalyzer, self).__init__(index_name)

    def run(self):
        """Entry point for the analyzer.

        Returns:
            String with summary of the analyzer result
        """
        # TODO: Add Elasticsearch query to get the events you need.
        # Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html
        query = ''

        # TODO: Specify what returned fields you need for your analyzer.
        return_fields = ['message']

        # Generator of events based on your query.
        events = self.event_stream(
            query_string=query,
            return_fields=return_fields
        )

        # TODO: Add analyzer logic here.
        # Methods available to use for index analyzers:
        # event.add_attributes({'foo': 'bar'})
        # event.add_tags(['tag_name'])
        for event in events:
            pass

        # TODO: Return a summary from the analyzer.
        return 'String to be returned'


manager.AnalysisManager.register_analyzer(TheIndexAnalyzer)
	"""TheIndexAnalyzer."""
	from __future__ import unicode_literals

	from timesketch.lib.analyzers import interface
	from timesketch.lib.analyzers import manager


	class TheIndexAnalyzer(interface.BaseIndexAnalyzer):
	"""The Index Analyzer."""

	NAME = 'TheIndexAnalyzer'

	def __init__(self, index_name):
	"""Initialize the Index Analyzer.

	Args:
	index_name: Elasticsearch index name
	"""
	super(TheIndexAnalyzer, self).__init__(index_name)

	def run(self):
	"""Entry point for the analyzer.

	Returns:
	String with summary of the analyzer result
	"""
	# TODO: Add Elasticsearch query to get the events you need.
	# Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html
	query = ''

	# TODO: Specify what returned fields you need for your analyzer.
	return_fields = ['message']

	# Generator of events based on your query.
	events = self.event_stream(
	query_string=query,
	return_fields=return_fields
	)

	# TODO: Add analyzer logic here.
	# Methods available to use for index analyzers:
	# event.add_attributes({'foo': 'bar'})
	# event.add_tags(['tag_name'])
	for event in events:
	pass

	# TODO: Return a summary from the analyzer.
	return 'String to be returned'


	manager.AnalysisManager.register_analyzer(TheIndexAnalyzer)