Index action, index search output as multiple documents

Elastic Stack Elasticsearch
,
1

Hi!
I need to create a watch, that will search through several indicies for certain events and then save each doc as a separate event to a new index.
I have already read this topic, got the idea but still hunting for working approach.
If anyone can provide an example of working script transform - that would be prefect.
I am on 6.6.1.
Here is my watch:

	{
	"trigger": {
		"schedule": {
			"interval": "1m"
		}
	},
	"input": {
		"search": {
			"request": {
				"search_type": "query_then_fetch",
				"indices": [
					"networklogs-cisco-step_dit*",
					"networklogs-fortinet-step_dit*"
				],
				"types": [
					"doc"
				],
				"body": {
					"size": 50,
					"query": {
						"bool": {
							"filter": [
								{
									"range": {
										"@timestamp": {
											"lt": "now",
											"gte": "now-5m"
										}
									}
								},
								{
									"term": {
										"destination.port": 445
									}
								},
								{
									"terms": {
										"event.action": [
											"pass",
											"passthrough",
											"log-only",
											"allowed",
											"accept",
											"dns",
											"ip-conn",
											"allow",
											"allowed"
										]
									}
								}
							]
						}
					}
				}
			}
		}
	},
	"condition": {
		"compare": {
			"ctx.payload.hits.total": {
				"gte": 1
			}
		}
	},
	"actions": {
		"create_incident": {
			"transform": {
				"script": {
					"source": "<I stucked here>"
				}
			},
			"index": {
				"index": "alerts",
				"doc_type": "doc"
			}
		}
	}
}
2

Check out the examples repo, IIRC the port scanning watch contains a transform doing that.

3

Hi, @spinscale
Thank you for your reply. I checked the script you mentioned. It is slightly overweight for my task.
I was able to write less elegant but yet shorter script.

"actions": {
    "create_incident": {
        "transform": {
            "script": {
                "source": "def buff_arr = ctx.payload.hits.hits; def result_arr = []; for (item in buff_arr) { result_arr.add(item._source); } return ['_doc': result_arr]",
                "lang": "painless"
            }
        },
        "index": {
            "index": "alerts",
            "doc_type": "doc"
        }
    }
}
1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.