Neo4j

enjaneerem · ‎09-29-2021

I'm having a hard time getting the syntax right on an apoc.es.query or an apoc.es.get for a nested field call into elasticsearch from my Neo4j database.

I'm running Neo4j 4.3.1 with ELK at 7.15.0.

I am trying to grab specific event IDs such as 4624 for user logons. Which is in event.code: 4624 and/or winlog.event_id: 4624 .

Here is what works:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc","_source",{
  query: { match_all: {} }
})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

Here is what doesn't:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc",null,
{ query: { match: { event.code: 4624}}})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

Or same thing with winlog:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc",null,
{ query: { match: { winlog.event_id: 4624}}})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

No matter how I structure it, I either get a syntax error or zero results. What am I missing?

michael_hunger · ‎09-30-2021

Hmm, what syntax error are you getting?
And does the same query work directly against ES?

conker84 · ‎09-30-2021

Plese try with:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc",null,
{ query: { match: { `winlog.event_id`: 4624}}})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

If it doesn't work can you share a sample of your data and the error returned by the procedure?

Thank you so much!

enjaneerem · ‎09-30-2021

Thanks conker84! That syntax worked!

conker84 · ‎09-30-2021

@enjaneerem can you please mark the answer as the correct solution? Thank you!

Neo4j

Trouble Integrating Elasticsearch into Neo4j