--------
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"should": [
{
"term": {
"action": {
"value": "LIST"
}
}
},
{
"term": {
"action": {
"value": "RETR"
}
}
},
{
"term": {
"action": {
"value": "STOR"
}
}
},
{
"term": {
"action": {
"value": "DELE"
}
}
}
],
"minimum_number_should_match": 1,
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"terms": {
"action": [
"RETR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}
------
GET winlogbeat-2017.11.25,winlogbeat-2017.11.26/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"terms": {
"action": [
"LIST",
"DELE",
"RETR",
"STOR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
},
"size": 0,
"aggs": {
"ff": {
"terms": {
"field": "filedir",
"size": 100
}
}
}
}
------
GET winlogbeat-*/_search
{
"size": 0,
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"from" : 1511654400000,
"to" : 1511740800000,
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
},
{
"term" : {
"Appname" : {
"value" : "FTP",
"boost" : 1.0
}
}
},
{
"terms" : {
"action" : [
"LIST",
"STOR",
"DELE",
"RETR"
],
"boost" : 1.0
}
}
],
"must_not" : [
{
"match" : {
"message" : {
"query" : ".ok",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
},
{
"term" : {
"filedir" : {
"value" : "-",
"boost" : 1.0
}
}
},
{
"match" : {
"filedir" : {
"query" : "/%{[filesub][1]}",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
}
],
"disable_coord" : false,
"adjust_pure_negative" : true,
"boost" : 1.0
}
},
"aggregations" : {
"filedir_count" : {
"terms" : {
"field" : "filedir",
"size" : 10,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
}
},
"ext" : { }
}
---------
RPT_C001_20171125.txt
GET winlogbeat-2017.11.25,winlogbeat-2017.11.26/_search
{
"size": 0,
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"from" : "2017-11-26T00:00:00.000+08:00",
"to" : "2017-11-26T23:59:59.000+08:00",
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
},
{
"term" : {
"Appname" : {
"value" : "FTP",
"boost" : 1.0
}
}
},
{
"terms" : {
"action" : [
"LIST",
"STOR",
"DELE",
"RETR"
],
"boost" : 1.0
}
}
],
"must_not" : [
{
"match" : {
"message" : {
"query" : ".ok",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
},
{
"term" : {
"filedir" : {
"value" : "-",
"boost" : 1.0
}
}
},
{
"match" : {
"filedir" : {
"query" : "/%{[filesub][1]}",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
}
],
"disable_coord" : false,
"adjust_pure_negative" : true,
"boost" : 1.0
}
},
"aggregations" : {
"aggTop" : {
"terms" : {
"field" : "filedir",
"size" : 50,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
}
},
"ext" : { }
}
GET winlogbeat-2017.11.25,winlogbeat-2017.11.26/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"terms": {
"action": [
"LIST",
"DELE",
"RETR",
"STOR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
},
"size": 0,
"aggs": {
"ff": {
"terms": {
"field": "filedir",
"size": 100
}
}
}
}
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"term": {
"filedir": {
"value": "/SJPT"
}
}
},
{
"terms": {
"action": [
"LIST",
"DELE",
"RETR",
"STOR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}
------
GET winlogbeat-2017.11.*/_search
{
"size": 0,
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"from" : "2017-11-26T00:00:00.000+08:00",
"to" : "2017-11-26T23:59:59.000+08:00",
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
},
{
"term" : {
"Appname" : {
"value" : "FTP",
"boost" : 1.0
}
}
},
{
"term" : {
"action" : {
"value" : "LIST",
"boost" : 1.0
}
}
}
],
"must_not" : [
{
"match" : {
"message" : {
"query" : ".ok",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
},
{
"term" : {
"filedir" : {
"value" : "-",
"boost" : 1.0
}
}
},
{
"match" : {
"filedir" : {
"query" : "/%{[filesub][1]}",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
}
],
"disable_coord" : false,
"adjust_pure_negative" : true,
"boost" : 1.0
}
},
"aggregations" : {
"aggTop" : {
"terms" : {
"field" : "filedir",
"size" : 50,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
},
"aggList" : {
"terms" : {
"field" : "account",
"size" : 50,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
}
},
"ext" : { }
}
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"term": {
"account": {
"value": "ICCCUAT\\uatjc06400"
}
}
},
{
"terms": {
"action": [
"LIST"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}