How to print more than 10 (default) output in chain query

addanuj · June 18, 2018, 4:08pm

I am not able to print more than 10 (which i think is default) output using below query

{
      "trigger": {
        "schedule": {
          "interval": "10s"
        }
      },
      "input": {
        "chain": {
          "inputs": [
            {
              "first": {
                "search": {
                  "request": {
                    "search_type": "query_then_fetch",
                    "indices": [
                      "logstash-security-*"
                    ],
                    "types": [],
                    "body": {
                      "aggs": {
                        "indicator": {
                          "terms": {
                            "field": "indicator.keyword",
                            "order": {
                              "_count": "desc"
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            },
            {
              "second": {
                "search": {
                  "request": {
                    "search_type": "query_then_fetch",
                    "indices": [
                      "logstash-checkpoint-*"
                    ],
                    "types": [],
                    "body": {
                      "query": {
                        "bool": {
                          "must": [
                            {
                              "query_string": {
                                "query": "dstip:{{#ctx.payload.first.aggregations.indicator.buckets}}{{key}} {{/ctx.payload.first.aggregations.indicator.buckets}}"
                              }
                            },
                            {
                              "range": {
                                "@timestamp": {
                                  "gte": "now-7d"
                                }
                              }
                            }
                          ]
                        }
                      }
                    }
                  }
                }
              }
            }
          ]
        }
      },
      "condition": {
        "compare": {
          "ctx.payload.second.hits.total": {
            "gt": 0
          }
        }
      },
      "actions": {
        "log": {
          "logging": {
            "level": "info",
            "text": "Test"
          }
        },
        "send_mail": {
          "email": {
            "profile": "standard",
            "to": [
              "addanuj@gmail.com"
            ],
            "subject": "DEVTools test Internal connections to known malware IPs",
            "body": {
              "html": "<table border='2'><tr><th>ThreatIntel IP</th><th>count</th></tr><tr>{{#ctx.payload.first.aggregations.indicator.buckets}}<td>{{key}}</td><td>{{doc_count}}</td></tr><tr>{{/ctx.payload.first.aggregations.indicator.buckets}}</tr></table>"
            }
          }
        }
      }
    }

spinscale · June 22, 2018, 2:06pm

Check the size parameter of the search query.

--Alex

system · July 20, 2018, 2:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.