I have documents/web logs that have source IP and http method(GET,POST,PUT...)
I need to query list of source IPs that only did POST in specified time window.
Any ideas?
Use a match query to filter this.
Ideally use that in a bool query with 2 filter clauses, one with the range query on the date and the match or term query on the verb.
How would it work for this set? I'm after list with 1.1.1.1,4.4.4.4
id:1,src.ip:1.1.1.1, http_method:POST
id2,src.ip:2.2.2.2, http_method:POST
id3,src.ip:2.2.2.2, http_method:GET
id4,src.ip:3.3.3.3, http_method:POST
id5,src.ip:3.3.3.3, http_method:GET
id6,src.ip:4.4.4.4, http_method:POST
(scale to several millions)
Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.
A full reproduction script will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.
I ended up using this.
curl -k -XPOST -u USENAME:PASSWORD --header 'Content-Type: application/json' '[https://localhost:9200/_sql?format=txt](https://localhost:9200/_sql?format=txt)' -d "{ \"query\": \"SELECT src.ip, max(\\\"@timestamp\\\") times, (CURRENT_TIMESTAMP - interval 10 minutes) cutOfDate, max(http.http_method) method, count(distinct http.http_method) methods FROM \\\"logs-syslog\\\" WHERE \\\"@timestamp\\\" >= CURRENT_TIMESTAMP - interval 10 minutes AND [host.name](https://host.name) = 'SOME-HOSTNAME' group by src.ip having methods = 1\" }" | grep POST | sed 's/|.*//' | ts '%d-%b-%Y %H:%M:%S' >> IP-list.log
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.