Hi,
So I have a search query written in python to look for cloudtrail events. This works fine, however I would like to move this even further and access more data from the document my search finds.
This is what I have atm:
res = es.search(index="*-{0}".format(now), doc_type="record", body={
"query": {
"bool": {
"must": {
"bool": {
"should": [
{"match": {"eventName": "AuthorizeSecurityGroupIngress"}},
{"match": {"eventName": "AuthorizeSecurityGroupEgress"}},
{"match": {"eventName": "RevokeSecurityGroupIngress"}},
{"match": {"eventName": "RevokeSecurityGroupEgress"}},
{"match": {"eventName": "CreateSecurityGroup"}},
{"match": {"eventName": "DeleteSecurityGroup"}}
]
}
},
"must_not": {
"match": {"userIdentity.sessionContext.sessionIssuer.userName": "packer_runner"}
},
"filter": {
"range": {
"eventTime": {
"gte":"now-15m",
"lt":"now"
}
}
}
}
}
})
What I want is to be able to view the whole document matching this query. What I get at the moment is just this:
{'took': 1, 'timed_out': False, '_shards': {'total': 6, 'successful': 6, 'skipped': 0, 'failed': 0}, 'hits': {'total': 0, 'max_score': None, 'hits': []}}
I was looking at .get() method but it requires document id, however I can't get anything from my search. How can I improve this?