def get_last_shutdown(index,maxtstamp,pattern):
"""
Look for the last shutdown event
"""
conn = connections.get_connection()
q = [ \
Q('match',data_type='windows:evtx:record') , \
Q('match',event_identifier=config.EVENT_SHUTDOWN)
]
if pattern:
q.append(Q('query_string',query=pattern,analyze_wildcard=True))
s = Search(using=conn, index=index).query(Q('bool',must=q)).filter('range',datetime={'lte':maxtstamp}).sort('-datetime')[0:0]
s.aggs.bucket('computer','terms',field='computer_name.keyword').bucket('shutdown','top_hits',size=1)
res = s.execute()
ret = {}
for item in res.aggregations['computer']['buckets']:
ret[item['key']] = item['shutdown']['hits']['hits'][0]
if len(ret.keys()) == 0:
ret = None
return ret
评论列表
文章目录
