Unable to get syntax correct on apoc.es.get or apoc.es.query call from Neo4j to Elasticsearch-CodePudding

I'm having a hard time getting the syntax right on an apoc.es.query or an apoc.es.get for a nested field call into elasticsearch from my Neo4j database.

I'm running Neo4j 4.3.1 with ELK at 7.15.0.

I am trying to grab specific event IDs such as 4624 for user logons. Which is in event.code: 4624 and/or winlog.event_id: 4624.

Here is what works:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc","_source",{
  query: { match_all: {} }
})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

Here is what doesn't:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc",null,
{ query: { match: { event.code: 4624}}})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

Or same thing with winlog:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc",null,
{ query: { match: { winlog.event_id: 4624}}})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

No matter how I structure it, I either get a syntax error or zero results. What am I missing?

CodePudding user response：

In Elasticsearch match query is a standard for performing full-text search, but the data types of your fields doesn't seem textual. Perhaps you should use term query instead.

{ query: { term: { event.code: 4624 }}}
{ query: { term: { winlog.event_id: 4624}}}

CodePudding user response：

I received the solution over on the Neo4j forums that I will re-post here. The syntax should be like the following:

CALL apoc.es.query("http://user:password@ipaddress:9200","logstash*","_doc",null,
{ query: { match: { `winlog.event_id`: 4624}}})
YIELD value
UNWIND value.hits.hits AS hit
RETURN hit;

Notice the back ticks (``) around winlog.event_id. This worked in my environment. Thanks for all the help!