wip

jasonish · Dec 17, 2024 · 2d2b4b7 · 2d2b4b7
1 parent 0d2760c
commit 2d2b4b7
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 18 deletions.
diff --git a/src/elastic/eventrepo/mod.rs b/src/elastic/eventrepo/mod.rs
@@ -742,28 +742,67 @@ impl ElasticEventRepo {
         let field = self.map_field(field);
 
         #[rustfmt::skip]
+        let mut agg = json!({});
+
+        match field.as_ref() {
+            "dns.rrname.keyword" => {
+                agg["script"] = json!({
+                    "source": r#"
+                        if (doc.containsKey('dns.queries.rrname')) {
+                            return doc['dns.queries.rrname.value'];
+                        } else {
+                            return doc['dns.rrname.keyword'];
+                        }"#,
+                });
+            }
+            _ => {
+                agg["field"] = field.clone().into();
+            }
+        }
+
         let agg = if order == "asc" {
-            // We're after a rare terms...
+            agg["max_doc_count"] = 100.into();
             json!({
-		"rare_terms": {
-                    "field": field,
-                    // Increase the max_doc_count, otherwise only
-                    // terms that appear once will be returned, but
-                    // we're after the least occurring, but those
-                    // numbers could still be high.
-                    "max_doc_count": 100,
-		}
+                "rare_terms": agg
             })
         } else {
-            // This is a normal "Top 10"...
+            agg["size"] = size.into();
             json!({
-		"terms": {
-                    "field": &field,
-                    "size": size,
-		},
+                "terms": agg
             })
         };
 
+        // #[rustfmt::skip]
+        // let agg = if order == "asc" {
+        //     // We're after a rare terms...
+        //     json!({
+	// 	"rare_terms": {
+        //             "field": field,
+        //             // Increase the max_doc_count, otherwise only
+        //             // terms that appear once will be returned, but
+        //             // we're after the least occurring, but those
+        //             // numbers could still be high.
+        //             "max_doc_count": 100,
+	// 	}
+        //     })
+        // } else {
+        //     // This is a normal "Top 10"...
+        //     json!({
+	// 	"terms": {
+        //             //"field": &field,
+        //             "size": size,
+        //             "script": {
+        //                 "source": r#"
+        //                     if (doc.containsKey('dns.queries.rrname')) {
+        //                         return doc['dns.queries.rrname.value'];
+        //                     } else {
+        //                         return doc['dns.rrname.keyword'];
+        //                     }"#,
+        //             }
+	// 	},
+        //     })
+        // };
+
         filter.push(exists_filter(&self.map_field("event_type")));
 
         #[rustfmt::skip]
@@ -782,9 +821,9 @@ impl ElasticEventRepo {
             },
         });
 
-        if self.runtime_mappings_supported {
-            query["runtime_mappings"] = self.runtime_mappings();
-        }
+        // if self.runtime_mappings_supported {
+        //     query["runtime_mappings"] = self.runtime_mappings();
+        // }
 
         if !should.is_empty() {
             query["query"]["bool"]["should"] = should.into();

diff --git a/src/server/api/agg.rs b/src/server/api/agg.rs
@@ -67,7 +67,7 @@ pub(crate) async fn agg(
         .await?;
     #[rustfmt::skip]
     let response = json!({
-	      "rows": results,
+	"rows": results,
     });
     Ok(Json(response))
 }