### Performing a basic search

Almost every single document stored in ElasticSearch can be converted to an `events.Event` object.

More specifically, `events.Event` will work with the following index pattern: `*event*`.

#### Start with importing some required libraries.

In [12]:
from datetime import datetime, timedelta

from dynamite_sdk.search import Search

try:
    dynamite_sdk.config.read('/etc/dynamite/dynamite_sdk/config.cfg')
except FileNotFoundError:
    print('Could not locate configuration at /etc/dynamite/dynamite_sdk/config.cfg. Please create it.')

#### Instantiate our `search.Search` interface to search all Zeek indices with `'*events*'`.

In [13]:
search = Search('events')


#### Set our initial search window to a 1 minute timeframe.

In [14]:
start = datetime.now() - timedelta(minutes=1)
end = datetime.now()

#### Execute our time windowed query.

In [22]:
search.execute_query(start, end)

#### Iterate through the results.

In [16]:
for event in search.results:
    print(str(event))

[zeek][conn][2019-10-31 14:41:23.185000+00:00]192.168.53.158:52119 -> 169.254.169.123:123
[zeek][ssh][2019-10-31 14:41:14.184000+00:00]218.92.0.171:30556 -> 192.168.53.158:22
[zeek][conn][2019-10-31 14:41:13.974000+00:00]218.92.0.171:30556 -> 192.168.53.158:22
[zeek][conn][2019-10-31 14:41:11.800000+00:00]79.158.108.108:53248 -> 192.168.53.158:22
[zeek][conn][2019-10-31 14:41:06.973000+00:00]192.168.53.158:35523 -> 169.254.169.123:123
[zeek][conn][2019-10-31 14:40:50.796000+00:00]192.168.53.158:39734 -> 169.254.169.123:123
[zeek][conn][2019-10-31 14:40:48.253000+00:00]192.168.53.158:49282 -> 171.66.97.126:123
[zeek][conn][2019-10-31 14:40:36.682000+00:00]185.176.27.110:40971 -> 192.168.53.158:3481
[zeek][conn][2019-10-31 14:40:35.800000+00:00]80.82.77.132:47655 -> 192.168.53.158:1122
[zeek][conn][2019-10-31 14:40:34.897000+00:00]142.11.214.46:17087 -> 192.168.53.158:523
[zeek][conn][2019-10-31 14:40:34.690000+00:00]192.168.53.158:59172 -> 169.254.169.123:123
[zeek][conn][2019-10-31 14:

#### Alternatively, events can be retrieved as a dataframe.

In [17]:
search = Search('events', as_dataframe=True)

In [18]:
start = datetime.now() - timedelta(minutes=1)
end = datetime.now()

In [19]:
search.execute_query(start, end)

In [20]:
search.results

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,node_hostname
0,conn,2019-10-31 14:41:23.185000+00:00,192.168.53.158,169.254.169.123,52119,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
1,ssh,2019-10-31 14:41:14.184000+00:00,218.92.0.171,192.168.53.158,30556,22,ssh-events-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
2,conn,2019-10-31 14:41:13.974000+00:00,218.92.0.171,192.168.53.158,30556,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
3,conn,2019-10-31 14:41:11.800000+00:00,79.158.108.108,192.168.53.158,53248,22,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
4,conn,2019-10-31 14:41:06.973000+00:00,192.168.53.158,169.254.169.123,35523,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
5,conn,2019-10-31 14:40:50.796000+00:00,192.168.53.158,169.254.169.123,39734,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
6,conn,2019-10-31 14:40:48.253000+00:00,192.168.53.158,171.66.97.126,49282,123,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
7,conn,2019-10-31 14:40:36.682000+00:00,185.176.27.110,192.168.53.158,40971,3481,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
8,conn,2019-10-31 14:40:35.800000+00:00,80.82.77.132,192.168.53.158,47655,1122,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
9,conn,2019-10-31 14:40:34.897000+00:00,142.11.214.46,192.168.53.158,17087,523,event-flows-2019.10.31,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal
