in server/api/plugins/worker.py [0:0]
def construct_query(doctype, query, initial_terms = []):
""" Construct an ES query based on doctype and ruleset """
terms = initial_terms
nterms = []
for term in query:
numm = re.match(r"(\S+)=([0-9.]+)", term)
strm = re.match(r"(\S+)=\"(.+)\"", term)
nstrm = re.match(r"(\S+)\!=\"(.+)\"", term)
if numm:
terms.append({"term": {numm.group(1): int(numm.group(2))}})
elif nstrm:
if '*' in nstrm.group(2):
nterms.append({"match": {nstrm.group(1): nstrm.group(2)}})
else:
nterms.append({"term": {nstrm.group(1): nstrm.group(2)}})
elif strm:
if '*' in strm.group(2):
terms.append({"match": {strm.group(1): strm.group(2)}})
else:
terms.append({"term": {strm.group(1): strm.group(2)}})
# Now construct the final query
q = None
if doctype == 'httpd_visits':
q = {
"aggregations": {
"byip": {
"filter": {
"bool": {
"must": terms,
"must_not": nterms
}
},
"aggs": {
"clients": {
"terms": {
"field": "clientip.keyword",
"size": 50,
"order": {
"_count": "desc"
}
}
}
}
}
},
"size": 0
}
elif doctype == 'httpd_traffic':
q = {
"aggregations": {
"byip": {
"filter": {
"bool": {
"must": terms,
"must_not": nterms,
}
},
"aggs": {
"clients": {
"terms": {
"field": "clientip.keyword",
"size": 50,
"order": {
"traffic": "desc"
}
},
"aggs": {
"traffic": {
"sum": {
"field": "bytes"
}
}
}
}
}
}
},
"size": 0
}
return q