Not able to compare two loops in a chain query

addanuj · June 12, 2018, 8:57am

Hi i am trying to achieve below
I have two different index and i want to compare two fields values using loop and get result if any of the IP address value matches

for example :-
Index 1: threatintel
fields :- 1. indicator_ip
2. message
3. userid

Index 2: checkpoint
fields:- 1. srcip
2. dstip

using below watch condition i am only able to check only first value, how to use a loop to check all values

 "condition": {
    "compare": {
      "ctx.payload.first.hits.hits.0._source.srcip": {
        "eq": "{{ctx.payload.second.hits.hits.0._source.indicator-ip}}"
      }
    }
  },

@richcollier Please help

addanuj · June 12, 2018, 8:59am

First Chain Query

{
      "watch": 
      {
      "trigger": {
        "schedule": {
          "interval": "1m"
        }
      },
      "input": {
        "chain": {
          "inputs": [
            {
              "first": {
                "search": {
                  "request": {
                    "search_type": "query_then_fetch",
                    "indices": [
                      "logstash-checkpoint*"
                    ],
                    "types": [],
                    "body": {
                        "aggs": {
                            "time": {
                              "terms": {
                                "field": "@timestamp",
                                "order": {
                                  "_count": "desc"
                                }
                              },
                              "aggs": {
                                "srcip": {
                                  "terms": {
                                    "field": "srcip.keyword",
                                    "order": {
                                      "_count": "desc"
                                    }
                                  },
                                  "aggs": {
                                    "dstip": {
                                      "terms": {
                                        "field": "dstip.keyword",
                                          "order": {
                                          "_count": "desc"
                                        }
                                      }
                                    }
                                  }
                                }
                              }
                            }
                          },
                          "version": true,
                          "_source": {
                            "excludes": []
                          },
                          "stored_fields": [
                            "*"
                          ],
                          "script_fields": {},
                          "docvalue_fields": [
                            "@timestamp"
                          ],
                          "query": {
                            "bool": {
                              "must": [
                                {
                                  "match_all": {}
                                },
                                {
                                  "match_all": {}
                                },
                                {
                                  "exists": {
                                    "field": "srcip.keyword"
                                  }
                                },
                                {
                                  "exists": {
                                    "field": "dstip.keyword"
                                  }
                                },
                                {
                                  "range": {
                                    "@timestamp": {
                                        "gte": "{{ctx.trigger.scheduled_time}}||-1d",
                                        "lte": "{{ctx.trigger.scheduled_time}}",
                                        "format": "strict_date_optional_time||epoch_millis"
                                      }
                                  }
                                }
                              ],
                              "filter": [],
                              "should": [],
                              "must_not": []
                            }
                          }
                    }
                  }
                }
              }
            },

addanuj · June 12, 2018, 9:02am

Second Chain Query  
  {
              "second": {
                "search": {
                  "request": {
                    "search_type": "query_then_fetch",
                    "indices": [
                      "logstash-security-*"
                    ],
                    "types": [],
                    "body": {
                        "aggs": {
                            "time": {
                              "terms": {
                                "field": "@timestamp",
                                "size": 5,
                                "order": {
                                  "_count": "desc"
                                }
                              },
                              "aggs": {
                                "indicator": {
                                  "terms": {
                                    "field": "indicator.keyword",
                                    "size": 5,
                                    "order": {
                                      "_count": "desc"
                                    }
                                  }
                                }
                              }
                            }
                          },
                          "version": true,
                          "_source": {
                            "excludes": []
                          },
                          "stored_fields": [
                            "*"
                          ],
                          "script_fields": {},
                          "docvalue_fields": [
                            "@timestamp",
                            "security_log.time"
                          ],
                          "query": {
                            "bool": {
                              "must": [
                                {
                                  "match_all": {}
                                },
                                {
                                  "match_all": {}
                                },
                                {
                                  "bool": {
                                    "should": [
                                      {
                                        "match_phrase": {
                                          "type.keyword": "threatintel"
                                        }
                                      }
                                    ],
                                    "minimum_should_match": 1
                                  }
                                },
                                {
                                  "match_phrase": {
                                    "indicator_parent": {
                                      "query": "ip"
                                    }
                                  }
                                },
                                {
                                  "exists": {
                                    "field": "indicator"
                                  }
                                },
                                {
                                  "range": {
                                    "@timestamp": {
                                        "gte": "{{ctx.trigger.scheduled_time}}||-1d",
                                        "lte": "{{ctx.trigger.scheduled_time}}",
                                        "format": "strict_date_optional_time||epoch_millis"
                                      }
                                  }
                                }
                              ],
                              "filter": [],
                              "should": [],
                              "must_not": []
                            }
                          }
                    }
                  }
                }
              }
            }
          ]
        }
      },
      "condition": {
        "compare": {
      ?????????????
      },
      "actions": {
        "log": {
          "logging": {
            "level": "info",
            "text": "what condition should i write"
          }
        }
      }
    }

addanuj · June 12, 2018, 4:13pm

@jamesspi please help

jamesspi · June 13, 2018, 8:57am

Hi @addanuj,

I don't think it's possible to loop through hits. However, I would do this differently.

I would use the ip from the 1st input, and then build the query for the second input using that variable.

Then, the compare condition would need to be based on the result of the second input. You don't even need aggregations in this case really.

So the query for your second input would be something like:

 "body": {
                  "query": {
                    "bool": {
                      "must": [
                        {
                          "query_string": {
                            "query": "type:threatintel AND indicator-ip:{{ctx.payload.first.hits.hits.0._source.srcip}}"
                          }
                        }
                      ]
                    }
                  },

And the condition:

 "condition": {
    "compare": {
      "ctx.payload.second.hits.total": {
        "gt": 0
      }
    }
  },

Thanks,
James

jamesspi · June 13, 2018, 9:03am

And I should mention - you should probably be doing the comparison at the entry level (I assume you're using logstash?) using the translate filter plugin. Then just create a watch to see if there is a match. What I usually do is create a boolean field with the translate plugin, and then just watch for value=true. Much more efficient.

addanuj · June 13, 2018, 9:07am

Can you provide an example for this

addanuj · June 13, 2018, 9:33am

Hi James,
i tried it but it is not comparing all threatintel IP address with all srcip values, it only compare first one.
but i tried this -
"bool": {
"must": [
{
"query_string": {
"query": "indicator:{{#ctx.payload.first.aggregations.srcip.buckets}}{{key}} {{/ctx.payload.first.aggregations.srcip.buckets}}"
}
}
]
}

this works for me but i need to know how shall i print matching values only in action seciton

jamesspi · June 13, 2018, 9:40am

You won't need to compare all values, you just need to know when there is a match, correct?

Here is a link for some translate examples:

richcollier · June 13, 2018, 3:09pm

I've already recommended in a different thread that you should look at this post for ideas:

Why do you keep on asking? I'm confused...

addanuj · June 13, 2018, 3:12pm

Thanks James, for guiding me to the right way. i will try to use logstash method also, but your answer helped me to solve some specific problems anyway,

I am really thankful to this forum and you guys, providing great support to community.

jamesspi · June 19, 2018, 7:08am

No problem!

spinscale · June 22, 2018, 2:04pm

Using a painless script and a chained input that executes both of hte searches you mentioned in the top might be another solution.

Be aware that something like joins do not work though!

Topic		Replies	Views
How to Compare two different fields value of two different index? Elasticsearch elastic-stack-alerting	18	13291	June 21, 2018
Watcher Chained Input and Painless Script Elasticsearch elastic-stack-alerting	3	1253	June 11, 2017
Watcher - loop through results of the first search and use them for the second search Elasticsearch elastic-stack-alerting	2	437	December 1, 2022
How to compare two aggregation output in watcher in condition Elasticsearch elastic-stack-alerting	3	1837	March 15, 2019
Comparing values from 2 ML Jobs in watcher Elasticsearch elastic-stack-machine-learning	6	1973	March 7, 2018

Not able to compare two loops in a chain query

Related topics