Hi Folks,
I understand this might be off-topic but need help on using jq with my bash script for extracting IP addresses. Somehow my filter is not working hence needed your help. I am extracting src_ip for last 24 hours.
function test () {
curl --insecure -u xxxx:xxxx -s -XGET "https://127.0.0.1:16577/logstash-*/_search" -H 'Content-Type: application/json' -d'
{
"aggs": {
"2": {
"terms": {
"field": "src_ip.keyword",
"order": {
"_count": "desc"
},
"size": 5
}
}
},
"size": 0,
"_source": {
"excludes": []
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "timestamp",
"format": "date_time"
}
],
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1d/d",
"lte": "now/d"
}
}
}
],
"filter": [
{
"match_all": {}
}
],
"should": [],
"must_not": []
}
}
}'
}
test
Here is my output
./test.sh | jq
{
"took": 27,
"timed_out": false,
"_shards": {
"total": 97,
"successful": 97,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": null,
"hits": []
},
"aggregations": {
"2": {
"doc_count_error_upper_bound": 1448,
"sum_other_doc_count": 78005,
"buckets": [
{
"key": "202.179.3.118",
"doc_count": 19115
},
{
"key": "103.212.19.210",
"doc_count": 16650
},
{
"key": "202.12.82.23",
"doc_count": 7305
},
{
"key": "103.207.4.42",
"doc_count": 7119
},
{
"key": "202.164.48.234",
"doc_count": 6001
}
]
}
}
}
But I need only IP addresses and here I am sending jq aggs but unable to deal with.
./test.sh | jq '.aggregations.2.buckets[].key'
jq: error: Invalid numeric literal at EOF at line 1, column 3 (while parsing '.2.') at <top-level>, line 1:
.aggregations.2.buckets[].key
jq: error: syntax error, unexpected LITERAL, expecting $end (Unix shell quoting issues?) at <top-level>, line 1:
.aggregations.2.buckets[].key
jq: 2 compile errors
(23) Failed writing body
./test.sh | jq '.aggregations.buckets[].key'
jq: error (at <stdin>:0): Cannot iterate over null (null)