From 5319c548ad7e45e795ed1a7d699b2f5ed5ab1c04 Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Wed, 11 Mar 2020 13:51:49 +0000
Subject: [PATCH] get top 100 src_ip's

---
 CHANGELOG.md    |  2 +-
 bin/mytopips.sh | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100755 bin/mytopips.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index da4fbee4..99560954 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## 20203010
+## 20200310
 - **Add 2FA to Cockpit**
   - Just run `2fa.sh` to enable two factor authentication in Cockpit.
 - **Find fastest mirror with netselect-apt**
diff --git a/bin/mytopips.sh b/bin/mytopips.sh
new file mode 100755
index 00000000..e343ff02
--- /dev/null
+++ b/bin/mytopips.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Make sure ES is available
+myES="http://127.0.0.1:64298/"
+myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
+if ! [ "$myESSTATUS" = "1" ]
+  then
+    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    exit 1
+  else
+    echo "### Elasticsearch is available, now continuing."
+    echo
+fi
+
+function fuMYTOPIPS {
+curl -s -XGET $myES"_search" -H 'Content-Type: application/json' -d'
+{
+  "aggs": {
+    "ips": {
+      "terms": { "field": "src_ip.keyword", "size": 100 }
+    }
+  },
+  "size" : 0
+}'
+}
+
+echo "### Aggregating top 100 source IPs in ES"
+fuMYTOPIPS | jq '.aggregations.ips.buckets[].key' | tr -d '"'