# Initialize Python Elasticsearch environment

Click here to look at CIF data definition. [https://github.com/jmdevince/cifpy3#object-reference](https://github.com/jmdevince/cifpy3#object-reference)

In [1]:
from elasticsearch import Elasticsearch
from pprint import pprint
from fnmatch import fnmatch
import json

Connecting to 172.28.5.174 **cifpy** elasticsearch instance.

In [2]:
host = '172.28.5.174:9200'
es = Elasticsearch(host)

Open one of the elasticsearch indices.

In [11]:
index_name = 'cif.observables-2015.12.13'
type_name = 'observables'
es.indices.open(index_name)

{u'acknowledged': True}

Get data scheme of **'observables'**.

In [4]:
mappings = es.indices.get_mapping(index_name, type_name)
mappings

{u'cif.observables-2015.12.10': {u'mappings': {u'observables': {u'properties': {u'@timestamp': {u'format': u'strict_date_optional_time||epoch_millis',
      u'type': u'date'},
     u'@version': {u'index': u'not_analyzed', u'type': u'string'},
     u'alt_tlp': {u'type': u'string'},
     u'altid': {u'type': u'string'},
     u'altid_tlp': {u'type': u'string'},
     u'application': {u'type': u'string'},
     u'asn': {u'type': u'long'},
     u'asn_desc': {u'type': u'string'},
     u'cc': {u'type': u'string'},
     u'citycode': {u'type': u'string'},
     u'confidence': {u'store': True, u'type': u'float'},
     u'description': {u'type': u'string'},
     u'firsttime': {u'format': u'strict_date_optional_time||epoch_millis',
      u'type': u'date'},
     u'geolocation': {u'type': u'geo_point'},
     u'group': {u'index': u'not_analyzed', u'type': u'string'},
     u'id': {u'type': u'string'},
     u'lasttime': {u'format': u'strict_date_optional_time||epoch_millis',
      u'type': u'date'},
     u'

## List all indices from elasticsearch host

Get a list of index names filtered by shell wildcard.

In [7]:
indices = es.indices.get_aliases().keys()
indices = [name for name in indices if fnmatch(name,'cif.observables*')]
indices.sort()
indices

[u'cif.observables-2015.11.13',
 u'cif.observables-2015.11.14',
 u'cif.observables-2015.11.15',
 u'cif.observables-2015.11.16',
 u'cif.observables-2015.11.17',
 u'cif.observables-2015.11.18',
 u'cif.observables-2015.11.19',
 u'cif.observables-2015.11.20',
 u'cif.observables-2015.12.10',
 u'cif.observables-2015.12.11',
 u'cif.observables-2015.12.12',
 u'cif.observables-2015.12.13',
 u'cif.observables-2015.12.14']

## Return total number of documents indexed 

In [8]:
es.count()

{u'_shards': {u'failed': 0, u'successful': 71, u'total': 71},
 u'count': 3271742}

## Build JSON query string and Perform query

In [9]:
q = {'query': {'match_all':{}}}
json.dumps(q)

'{"query": {"match_all": {}}}'

In [12]:
results = es.search(index_name, type_name, json.dumps(q))
pprint(results)

{u'_shards': {u'failed': 0, u'successful': 5, u'total': 5},
 u'hits': {u'hits': [{u'_id': u'b1d59170fc50032d1af540d843e5273887fdf17ed6c8ca2d669c76573e5d401d',
                      u'_index': u'cif.observables-2015.12.13',
                      u'_score': 1.0,
                      u'_source': {u'@timestamp': u'2015-12-13T00:12:01Z',
                                   u'adata': None,
                                   u'altid': u'http://www.alexa.com/siteinfo/mail.ru',
                                   u'altid_tlp': u'white',
                                   u'application': u'smtp',
                                   u'cc': None,
                                   u'confidence': 20.023,
                                   u'description': None,
                                   u'firsttime': None,
                                   u'group': [u'everyone'],
                                   u'id': u'b1d59170fc50032d1af540d843e5273887fdf17ed6c8ca2d669c76573e5d401d',
                  