Get all items

Nastya.JavaScript_Ko · August 24, 2021, 4:13pm

Hey! First time I work with elastic.
I have a request like this - but it does not return data after August 10th.

{
  "query": {
           "bool": {
          "must_not": [
            {
              "term": {
                "suricata.eve.event_type": {
                  "value": "alert"
                }
              }
            },
              {
                "term": {
                  "suricata.eve.event_type": "anomaly"
                }
              }
          ] ,
            "filter": [
              {
                "exists": {
                  "field": "suricata.eve.ether.dest_mac"
                }
              },
              {
                "exists": {
                  "field": "suricata.eve.ether.src_mac"
                }
              },
              {
                "range": {
                  "@timestamp": {
                    "lte": "2021-08-24T10:49:26.593Z",
                    "format": "strict_date_optional_time"
                  }
                }
              },
              {
                "terms": {
                  "destination.ip": [
    "10.0.0.0/8",
    "100.64.0.0/10",
    "172.16.0.0/12",
    "192.168.0.0/16"
  ]
                }
              },
              {
                "terms": {
                  "source.ip":  [
    "10.0.0.0/8",
    "100.64.0.0/10",
    "172.16.0.0/12",
    "192.168.0.0/16"
  ]
                }
              }
            ]
          }
        },
        "aggs": {
      "compositions": {
        "composite": {
          "size": 50000,
          "sources": [
            {
              "src_mac": {
                "terms": {
                  "field": "suricata.eve.ether.src_mac"
                }
              }
            },
            {
              "dest_mac": {
                "terms": {
                  "field": "suricata.eve.ether.dest_mac"
                }
              }
            },
            {
              "src_ip": {
                "terms": {
                  "field": "source.ip"
                }
              }
            },
            {
              "dest_ip": {
                "terms": {
                  "field": "destination.ip"
                }
              }
            }
          ]
        },
        "aggs": {
          "latest_hits": {
            "top_hits": {
              "sort": {
                "@timestamp": {
                  "order": "desc"
                }
              },
              "size":  1
            }
          }
        }
      }
    }
  }

I wanted to see all the data - but with such a request, the data is returned only for August 3.

{
  "query": {
           "bool": {}
        }
  }

How do I make a request to see all the data?

stephenb · August 24, 2021, 8:32pm

Most likely is that queries by default only return 10 results the size parameter defaults to 10

Try "size: "1000",

See Here

If it is a very large set you will need to paginate

Nastya.JavaScript_Ko · August 25, 2021, 1:11pm

Thanks for the answer! I already figured it out myself and looked through what was needed in the morning

system · September 22, 2021, 1:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.