Skip to content

Instantly share code, notes, and snippets.

@richcollier
Created October 25, 2019 13:48
Show Gist options
  • Save richcollier/385c7a4f66c87962af9f07d7ab95d3ef to your computer and use it in GitHub Desktop.
Save richcollier/385c7a4f66c87962af9f07d7ab95d3ef to your computer and use it in GitHub Desktop.
#==== a filtered search with one aggregation
GET filebeat-6.1.0-2017-elasticco-anon/_search
{
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"nginx.access.body_sent.bytes": {
"gte": 30000000
}
}
}
}
},
"aggs": {
"greedy_ips": {
"cardinality": {
"field": "nginx.access.remote_ip"
}
}
}
}
#==== a watch that uses that search
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-*"
],
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"nginx.access.body_sent.bytes": {
"gte": 30000000
}
}
}
}
},
"aggs": {
"greedy_ips": {
"cardinality": {
"field": "nginx.access.remote_ip"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.greedy_ips.value": {
"gt": 50
}
}
},
"actions": {
"log": {
"logging": {
"text": "ALERT! - There are {{ctx.payload.aggregations.greedy_ips.value}} IPs that are downloading more than 30000000 bytes"
}
}
}
}
}
#==== a search with additional aggregations and sub aggregations
GET filebeat-6.1.0-2017-elasticco-anon/_search
{
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"nginx.access.body_sent.bytes": {
"gte": 30000000
}
}
}
}
},
"aggs": {
"greedy_ips": {
"cardinality": {
"field": "nginx.access.remote_ip"
}
},
"top_10_ips": {
"terms": {
"field": "nginx.access.remote_ip",
"size": 10
},
"aggs": {
"sum_bytes": {
"sum": {
"field": "nginx.access.body_sent.bytes"
}
},
"top_url": {
"terms": {
"field": "nginx.access.url",
"size": 10
}
}
}
}
}
}
#==== a watch that uses that uses the additional aggs and reformats the results
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-*"
],
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"nginx.access.body_sent.bytes": {
"gte": 30000000
}
}
}
}
},
"aggs": {
"greedy_ips": {
"cardinality": {
"field": "nginx.access.remote_ip"
}
},
"top_10_ips": {
"terms": {
"field": "nginx.access.remote_ip",
"size": 10
},
"aggs": {
"sum_bytes": {
"sum": {
"field": "nginx.access.body_sent.bytes"
}
},
"top_url": {
"terms": {
"field": "nginx.access.url",
"size": 10
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.greedy_ips.value": {
"gt": 50
}
}
},
"actions": {
"log": {
"transform": {
"script": """
return ctx.payload.aggregations.top_10_ips.buckets.stream()
.map(p -> [
'ip':p.key,
'bytes' : p.sum_bytes.value,
'url' : p.top_url.buckets.0.key
])
.collect(Collectors.toList());
"""
},
"logging": {
"text": """
ALERT! - There are IPs that are downloading more than 30000000 bytes
Top 10 Offenders:
=================
{{#ctx.payload._value}}
ip={{ip}}
bytes={{bytes}}
top_url={{url}}
{{/ctx.payload._value}}
"""
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment