Vega Query - Find first match

Ryan_Clark · January 22, 2024, 10:24pm

Hi,
I am building status indicators in vega to find certain events in logs and give me a green light if it found it and red light if the event is not found.

What I've come up with so far works, but I noticed in the response the query returns all documents that match. Since I need this to scale in large environments with large data sets, I need to figure out how to tell the query to only find the first match. Is there a parameter I can add to the query to tell it to stop on first occurrence?

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "description": "Windows AU-2 ConMon",
  "padding": 5,
  // Query for specific events
  "data": [
    {
      // Successful Logons - WINDOWS
      "name": "SLogons",
      "url": {
        "index": "log-windows-*",
        "body": {
          "size": 1000,
            "query": {
              "bool": {
                must: [
                  // This string will be replaced
                  // with the auto-generated "MUST" clause
                  "%dashboard_context-must_clause%"
                  {
                    range: {
                      // apply timefilter (upper right corner)
                      // to the @timestamp variable
                      @timestamp: {
                        // "%timefilter%" will be replaced with
                       // the current values of the time filter
                       // (from the upper right corner)
                       "%timefilter%": true
                       // week, day (default), hour, minute, second
                       unit: minute
                      }
                    }
                  }
                ],
                "should": [{"match": {"event.code": "4624"}}],
                "minimum_should_match": 1
              }
            }
          }
      }
    },
    // Failed Logons - WINDOWS
    {
      "name": "FLogons",
      "url": {
        "index": "log-windows-*",
        "body": {
          "size": 1000,
            "query": {
              "bool": {
                must: [
                  // This string will be replaced
                  // with the auto-generated "MUST" clause
                  "%dashboard_context-must_clause%"
                  {
                    range: {
                      // apply timefilter (upper right corner)
                      // to the @timestamp variable
                      @timestamp: {
                        // "%timefilter%" will be replaced with
                       // the current values of the time filter
                       // (from the upper right corner)
                       "%timefilter%": true
                       // week, day (default), hour, minute, second
                       unit: minute
                      }
                    }
                  }
                ],
                "should": [{"match": {"event.code": "4634"}}],
                "minimum_should_match": 1
              }
            }
          }
      }
    },
    // Logoffs - WINDOWS
    {
      "name": "Logoffs",
      "url": {
        "index": "log-windows-*",
        "body": {
          "size": 1000,
            "query": {
              "bool": {
                must: [
                  // This string will be replaced
                  // with the auto-generated "MUST" clause
                  "%dashboard_context-must_clause%"
                  {
                    range: {
                      // apply timefilter (upper right corner)
                      // to the @timestamp variable
                      @timestamp: {
                        // "%timefilter%" will be replaced with
                       // the current values of the time filter
                       // (from the upper right corner)
                       "%timefilter%": true
                       // week, day (default), hour, minute, second
                       unit: minute
                      }
                    }
                  }
                ],
                "should": [{"match": {"event.code": "4634"}}],
                "minimum_should_match": 1
              }
            }
          }
      }
    },
  ],
  
  

  "marks": [
    // Create a circle and fill it green if the event is found and red if not found
    {
      "type": "symbol",
      "from": {"data": "SLogons"},
      "encode": {
        "enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
        "update": {
          "x": {"value": 220},
          "y": {"value": 15},
          "size": {"value": 500},
          "shape": {"value": "circle"},
          "opacity": {"value": 1},
          "strokeWidth": {"value": 1},
          "fill": [
            {"test": "datum.hits.total === 0", "value": "red"},
            {"test": "datum.hits.total >= 1", "value": "green"},
            {"value": "false"}
          ]
        }
      }
    },
    {
      "type": "text",
      "encode": {
        "enter": {
          "fill": {"value": "#000"},
          "fontWeight": {"value": "Bold"},
          "text": {"value": "Logon (Success) - AU-2a1(1))"},
          "x": {"value": 10},
          "y": {"value": 20}
        }
      }
    },
    // Create a circle and fill it green if the event is found and red if not found
    {
      "type": "symbol",
      "from": {"data": "FLogons"},
      "encode": {
        "enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
        "update": {
          "x": {"value": 220},
          "y": {"value": 60},
          "size": {"value": 500},
          "shape": {"value": "circle"},
          "opacity": {"value": 1},
          "strokeWidth": {"value": 1},
          "fill": [
            {"test": "datum.hits.total === 0", "value": "red"},
            {"test": "datum.hits.total >= 1", "value": "green"},
            {"value": "false"}
          ]
        }
      }
    },
    {
      "type": "text",
      "encode": {
        "enter": {
          "fill": {"value": "#000"},
          "fontWeight": {"value": "Bold"},
          "text": {"value": "Logon (Failed) - AU-2a1(1))"},
          "x": {"value": 10},
          "y": {"value": 65}
        }
      }
    },
    {
      "type": "symbol",
      "from": {"data": "Logoffs"},
      "encode": {
        "enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
        "update": {
          "x": {"value": 220},
          "y": {"value": 105},
          "size": {"value": 500},
          "shape": {"value": "circle"},
          "opacity": {"value": 1},
          "strokeWidth": {"value": 1},
          "fill": [
            {"test": "datum.hits.total === 0", "value": "red"},
            {"test": "datum.hits.total >= 1", "value": "green"},
            {"value": "false"}
          ]
        }
      }
    },
    {
      "type": "text",
      "encode": {
        "enter": {
          "fill": {"value": "#000"},
          "fontWeight": {"value": "Bold"},
          "text": {"value": "Logoff (Sucess) - AU-2a1(2)"},
          "x": {"value": 10},
          "y": {"value": 110}
        }
      }
    }
  ]
}

As you can see in the image, it gets 46 hits and all 46 docs are returned.

Ryan_Clark · January 23, 2024, 12:39am

OK, so I reviewed the code and had an epiphany. The example I copied used 1000 as the size in the body. I set size to 1. By all appearances, this seems to reduce the results to 1 hit and the response time went from 138ms to 1ms. So this seems to be the answer. Can anyone confirm this is a good approach?

system · February 20, 2024, 12:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.