Last active
July 25, 2018 07:11
-
-
Save Howard-Chang/de20eda7fc363ff6cc06d13d959603c9 to your computer and use it in GitHub Desktop.
Winoc_RestfulAPI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *原先用last_switched來過濾時間改成用@timestamp來過濾 | |
| 1.上傳下載流量: | |
| GET /_search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV6_DST_ADDR":"2001:288:3200::1"} | |
| }, | |
| { | |
| "term":{"IPV6_SRC_ADDR":"2001:288:3200::1"} | |
| } | |
| ], | |
| "minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2018-04-24T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "download1" : { | |
| "filter" : { "term": { "IPV6_DST_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| }, | |
| "download2" : { | |
| "filter" : { "term": { "IPV6_SRC_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload1" : { | |
| "filter" : { "term": { "IPV6_DST_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload2" : { | |
| "filter" : { "term": { "IPV6_SRC_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| } | |
| } | |
| } | |
| //下載流量=download1+download2. 上傳流量=upload1+upload2. | |
| 2.Session數計算: | |
| GET /_search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV6_DST_ADDR":"2001:288:3200::1"} | |
| }, | |
| { | |
| "term":{"IPV6_SRC_ADDR":"2001:288:3200::1"} | |
| } | |
| ], | |
| "minimum_should_match": 1, | |
| "must": [ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-10-20T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "Udp|Tcp" : { | |
| "terms" : { | |
| "field" : "PROTOCOL", | |
| "include" : ["17", "6"] | |
| } | |
| } | |
| } | |
| } | |
| 3.Quota+IP+Protocol_name: | |
| GET _search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV6_SRC_ADDR":"2001:288:3200::1"} | |
| }, | |
| { | |
| "term":{"IPV6_DST_ADDR":"2001:288:3200::1"} | |
| } | |
| ],"minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-10-20T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "genres":{ | |
| "terms" : { | |
| "field" : "L7_PROTO_NAME.keyword" , | |
| "order" : { "sum_bytes" : "desc" } | |
| }, | |
| "aggs":{ | |
| "sum_bytes": { | |
| "sum": { | |
| "script": { | |
| "source": "doc.IN_BYTES.value + doc.OUT_BYTES.value" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| 4.Online user unique IP: | |
| 參考網站: | |
| https://www.ibm.com/support/knowledgecenter/en/STCMML8/com.ibm.storage.ts3500.doc/opg_3584_IPv4_IPv6_prefix_subnet_mask.html | |
| http://tp.edu.tw/docc/ipv6-transfer.pdf | |
| /後面的數字代表bit數 和IPV4的概念相同 | |
| 一次query多個網段的online user: | |
| GET /_search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "match":{"IPV6_DST_ADDR":"2001:288::/48"} | |
| }, | |
| { | |
| "match":{"IPV6_SRC_ADDR":"2001:288::/48"} | |
| }, | |
| { | |
| "match":{"IPV6_SRC_ADDR":"2404:6800::/48"} | |
| }, | |
| { | |
| "match":{"IPV6_DST_ADDR":"2404:6800::/48"} | |
| } | |
| ], | |
| "minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2018-02-12T00:00:00", | |
| "lt":"2018-02-13T00:00:00" | |
| } | |
| } | |
| }, | |
| { | |
| "range":{ | |
| "IN_OUT_PKTS":{ | |
| "gte": 10 | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "DST_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "should": [ | |
| {"match":{"IPV6_DST_ADDR":"2001:288::/48"}}, | |
| {"match":{"IPV6_DST_ADDR":"2404:6800::/48"}} | |
| ], | |
| "minimum_should_match": 1 | |
| } | |
| }, | |
| "aggs": { | |
| "dst_local_ip" : { | |
| "terms" : { | |
| "field" : "IPV6_DST_ADDR", | |
| "size": 100000 | |
| } | |
| } | |
| } | |
| }, | |
| "SRC_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "should": [ | |
| {"match":{"IPV6_SRC_ADDR":"2001:288::/48"}}, | |
| {"match":{"IPV6_SRC_ADDR":"2404:6800::/48"}} | |
| ], | |
| "minimum_should_match": 1 | |
| } | |
| }, | |
| "aggs": { | |
| "src_local_ip" : { | |
| "terms" : { | |
| "field" : "IPV6_SRC_ADDR", | |
| "size": 100000 | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| 5.Quota+Session(for 畫圖每五分鐘一次,所以總共query12次): | |
| GET _search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV6_SRC_ADDR":"2001:288:3200::1"} | |
| }, | |
| { | |
| "term":{"IPV6_DST_ADDR":"2001:288:3200::1"} | |
| } | |
| ],"minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-10-20T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "download1" : { | |
| "filter" : { "term": { "IPV6_DST_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| }, | |
| "download2" : { | |
| "filter" : { "term": { "IPV6_SRC_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload1" : { | |
| "filter" : { "term": { "IPV6_DST_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload2" : { | |
| "filter" : { "term": { "IPV6_SRC_ADDR":"2001:288:3200::1"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| }, | |
| "Udp|Tcp" : { | |
| "terms" : { | |
| "field" : "PROTOCOL", | |
| "include" : ["17", "6"] | |
| } | |
| } | |
| } | |
| } | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *原先用last_switched來過濾時間改成用@timestamp來過濾 | |
| 1.上傳下載流量: | |
| GET /_search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV4_DST_ADDR":"192.168.0.159"} | |
| }, | |
| { | |
| "term":{"IPV4_SRC_ADDR":"192.168.0.159"} | |
| } | |
| ], | |
| "minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-10-20T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "download1" : { | |
| "filter" : { "term": { "IPV4_DST_ADDR":"192.168.0.159"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| }, | |
| "download2" : { | |
| "filter" : { "term": { "IPV4_SRC_ADDR":"192.168.0.159"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload1" : { | |
| "filter" : { "term": { "IPV4_DST_ADDR":"192.168.0.159"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload2" : { | |
| "filter" : { "term": { "IPV4_SRC_ADDR":"192.168.0.159"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| } | |
| } | |
| } | |
| //下載流量=download1+download2. 上傳流量=upload1+upload2. | |
| 2.Session數計算: | |
| GET /_search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV4_DST_ADDR":"192.168.0.159"} | |
| }, | |
| { | |
| "term":{"IPV4_SRC_ADDR":"192.168.0.159"} | |
| } | |
| ], | |
| "minimum_should_match": 1, | |
| "must": [ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-10-20T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "Udp|Tcp" : { | |
| "terms" : { | |
| "field" : "PROTOCOL", | |
| "include" : ["17", "6"] | |
| } | |
| } | |
| } | |
| } | |
| 3.Quota+IP+Protocol_name: | |
| GET _search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV4_SRC_ADDR":"120.127.160.91"} | |
| }, | |
| { | |
| "term":{"IPV4_DST_ADDR":"120.127.160.91"} | |
| } | |
| ],"minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-10-20T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "genres":{ | |
| "terms" : { | |
| "field" : "L7_PROTO_NAME.keyword" , | |
| "order" : { "sum_bytes" : "desc" } | |
| }, | |
| "aggs":{ | |
| "sum_bytes": { | |
| "sum": { | |
| "script": { | |
| "source": "doc.IN_BYTES.value + doc.OUT_BYTES.value" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| 4.Online user unique IP: | |
| GET /_search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "match":{"IPV4_DST_ADDR":"192.168.0.0/16"} | |
| }, | |
| { | |
| "match":{"IPV4_SRC_ADDR":"192.168.0.0/16"} | |
| } | |
| ], | |
| "minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2018-02-12T00:00:00", | |
| "lt":"2018-02-13T00:00:00" | |
| } | |
| } | |
| }, | |
| { | |
| "range":{ | |
| "Packet":{ | |
| "gte": 10 | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "DST_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "filter": { | |
| "match":{"IPV4_DST_ADDR":"192.168.0.0/16"} | |
| } | |
| } | |
| }, | |
| "aggs": { | |
| "dst_local_ip" : { | |
| "terms" : { | |
| "field" : "IPV4_DST_ADDR", | |
| "size": 100000 | |
| } | |
| } | |
| } | |
| }, | |
| "SRC_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "filter": { | |
| "match":{"IPV4_SRC_ADDR":"192.168.0.0/16"} | |
| } | |
| } | |
| }, | |
| "aggs": { | |
| "src_local_ip" : { | |
| "terms" : { | |
| "field" : "IPV4_SRC_ADDR", | |
| "size": 100000 | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| 若要一次query多個網段的online user,並過濾低於10的packet: | |
| GET /_search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2018-02-12T00:00:00", | |
| "lt":"2018-02-13T00:00:00" | |
| } | |
| } | |
| }, | |
| { | |
| "range":{ | |
| "Packet":{ | |
| "gte": 10 | |
| } | |
| } | |
| } | |
| ], | |
| "should": [ | |
| { | |
| "match":{"IPV4_DST_ADDR":"120.127.0.0/16"} | |
| }, | |
| { | |
| "match":{"IPV4_SRC_ADDR":"120.127.0.0/16"} | |
| }, | |
| { | |
| "match":{"IPV4_SRC_ADDR":"192.168.0.0/16"} | |
| }, | |
| { | |
| "match":{"IPV4_DST_ADDR":"192.168.0.0/16"} | |
| } | |
| ], | |
| "minimum_should_match": 1 | |
| } | |
| }, | |
| "aggs": { | |
| "DST_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "should": [ | |
| {"match":{"IPV4_DST_ADDR":"120.127.0.0/16"}}, | |
| {"match":{"IPV4_DST_ADDR":"192.168.0.0/16"}} | |
| ], | |
| "minimum_should_match": 1 | |
| } | |
| }, | |
| "aggs": { | |
| "dst_local_ip" : { | |
| "terms" : { | |
| "field" : "IPV4_DST_ADDR", | |
| "size": 100000 | |
| } | |
| } | |
| } | |
| }, | |
| "SRC_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "should": [ | |
| {"match":{"IPV4_SRC_ADDR":"120.127.0.0/16"}}, | |
| {"match":{"IPV4_SRC_ADDR":"192.168.0.0/16"}} | |
| ], | |
| "minimum_should_match": 1 | |
| } | |
| }, | |
| "aggs": { | |
| "src_local_ip" : { | |
| "terms" : { | |
| "field" : "IPV4_SRC_ADDR", | |
| "size": 100000 | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| //累積後: | |
| GET /_search | |
| { | |
| "size": 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "match": { | |
| "IPV4_DST_ADDR": "163.19.0.0/16" | |
| } | |
| }, | |
| { | |
| "match": { | |
| "IPV4_SRC_ADDR": "163.19.0.0/16" | |
| } | |
| } | |
| ], | |
| "minimum_should_match": 1, | |
| "must": [ | |
| { | |
| "range": { | |
| "@timestamp": { | |
| "gte": "now-10m" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "DST_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "filter": { | |
| "match": { | |
| "IPV4_DST_ADDR": "163.19.0.0/16" | |
| } | |
| } | |
| } | |
| }, | |
| "aggs": { | |
| "genres": { | |
| "terms": { | |
| "field": "IPV4_DST_ADDR", | |
| "order": { | |
| "Sum_PKTS": "desc" | |
| },"size": 100000 | |
| }, | |
| "aggs": { | |
| "Sum_PKTS": { | |
| "sum": { | |
| "field": "Packet" | |
| } | |
| }, | |
| "Sum_PKTS_gte_10": { | |
| "bucket_selector": { | |
| "buckets_path": { | |
| "sum_packets": "Sum_PKTS" | |
| }, | |
| "script": "params.sum_packets >= 10" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "SRC_Local_IP": { | |
| "filter": { | |
| "bool": { | |
| "filter": { | |
| "match": { | |
| "IPV4_SRC_ADDR": "163.19.0.0/16" | |
| } | |
| } | |
| } | |
| }, | |
| "aggs": { | |
| "genres": { | |
| "terms": { | |
| "field": "IPV4_SRC_ADDR", | |
| "order": { | |
| "Sum_PKTS": "desc" | |
| },"size": 100000 | |
| }, | |
| "aggs": { | |
| "Sum_PKTS": { | |
| "sum": { | |
| "field": "Packet" | |
| } | |
| }, | |
| "Sum_PKTS_gte_10": { | |
| "bucket_selector": { | |
| "buckets_path": { | |
| "sum_packets": "Sum_PKTS" | |
| }, | |
| "script": "params.sum_packets >= 10" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| 5.Quota+Session(for 畫圖每五分鐘一次,所以總共query12次): | |
| GET _search | |
| { | |
| "size" : 0, | |
| "query": { | |
| "bool": { | |
| "should": [ | |
| { | |
| "term":{"IPV4_SRC_ADDR":"120.127.160.91"} | |
| }, | |
| { | |
| "term":{"IPV4_DST_ADDR":"120.127.160.91"} | |
| } | |
| ],"minimum_should_match": 1, | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-10-20T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "download1" : { | |
| "filter" : { "term": { "IPV4_DST_ADDR":"120.127.160.91"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| }, | |
| "download2" : { | |
| "filter" : { "term": { "IPV4_SRC_ADDR":"120.127.160.91"} }, | |
| "aggs" : { | |
| "downlod_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload1" : { | |
| "filter" : { "term": { "IPV4_DST_ADDR":"120.127.160.91"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "OUT_BYTES" } } | |
| } | |
| },"upload2" : { | |
| "filter" : { "term": { "IPV4_SRC_ADDR":"120.127.160.91"} }, | |
| "aggs" : { | |
| "upload_bytes" : { "sum" : { "field" : "IN_BYTES" } } | |
| } | |
| }, | |
| "Udp|Tcp" : { | |
| "terms" : { | |
| "field" : "PROTOCOL", | |
| "include" : ["17", "6"] | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment