我正在使用Elasticsearch搜索Packetbeat索引以识别两个IP地址是否通信。如果IP xx.xx.xx.xx与IP yy.yy.yy.yy对话,或者如果IP yy.yy.yy.yy与IP xx.xx.xx.xx对话,我想了解它。下面是我的DSL,但所有返回的结果根本不相关。我究竟做错了什么?谢谢!
GET /packetbeat-*/_search?size=100&pretty
{
"query": {
"bool": {
"must": [
{
"term": {
"_type": "flow"
}
}
],
"must_not": [
{
"term": {
"source.ip": "127.0.0.1"
}
},
{
"term": {
"dest.ip": "127.0.0.1"
}
}
],
"should": [
{
"bool": {
"must": [
{
"term": {
"_type": "flow"
}
},
{
"term": {
"source.ip": "xx.xx.xx.xx"
}
},
{
"term": {
"dest.ip": "yy.yy.yy.yy"
}
}
]
}
},
{
"bool": {
"must": [
{
"term": {
"_type": "flow"
}
},
{
"term": {
"source.ip": "yy.yy.yy.yy"
}
},
{
"term": {
"dest.ip": "xx.xx.xx.xx"
}
}
]
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now-1d/d"
}
}
}
}
}
}
答案 0 :(得分:0)
简化查询:
_type: flow
不是localhost
source.ip != dest.ip
source.ip或dest.ip等于IP_X或IP_Y
根据this answer看一看:
{
"query": {
"bool": {
"must": [
{
"term": {
"_type": "flow"
}
},
{
"script": {
"script": "doc['source.ip'].value != doc['dest.ip'].value"
}
},
{
"terms": {
"source.ip": [
"IP_X",
"IP_Y"
]
}
},
{
"terms": {
"dest.ip": [
"IP_X",
"IP_Y"
]
}
}
],
"must_not": [
{
"term": {
"source.ip": "127.0.0.1"
}
},
{
"term": {
"dest.ip": "127.0.0.1"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now-1d/d"
}
}
}
}
}
}