def get_last_event(index,computer=None,maxdate=None,pattern=None):
conn = connections.get_connection()
q = [ \
Q('match',data_type='windows:evtx:record')
]
if computer is not None:
q.append(Q('match',computer_name=computer))
if pattern:
q.append(Q('query_string',query=pattern,analyze_wildcard=True))
if maxdate:
s = Search(using=conn, index=index).query(Q('bool',must=q)).filter('range',datetime={'lte': maxdate}).sort('-datetime')
else:
s = Search(using=conn, index=index).query(Q('bool',must=q)).sort('-datetime')
if computer is None:
s = s[0:0]
s.aggs.bucket('computer','terms',field='computer_name.keyword').bucket('last','top_hits',size=1)
res = s.execute()
if computer is None:
evt = {}
for item in res.aggregations['computer']['buckets']:
evt[item['key']] = item['last']['hits']['hits'][0]
if len(evt.keys()) == 0:
evt = None
else:
try:
evt = res[0]
except:
evt = None
return evt
评论列表
文章目录
