Compound Elastic Case Creation

Create a Nuix compound Elasticsearch case.

Prerequisites

  • Have an Elasticsearch cluster configured
    • Note down the Elasticsearch cluster name and hostname
  • Have a working knowledge of sharding strategies and replicas

Create a compound elastic case

Now that you are authenticated, you can create a compound Elasticsearch case. For this example, you will use a single shard and zero replicas.

curl --location --request POST 'http://localhost:8080/nuix-restful-service/svc/v1/cases' \
--header 'nuix-auth-token: 9729a460-eda7-48dc-ba70-d12b3aae3c8d' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data-raw '{
   "name":"HelloCompoundElasticsearchCase",
   "location":"inventory0",
   "description":"My first compound Elasticsearch case",
   "compound":true,
   "investigator":"Inspector Gadget",
   "elasticSearchSettings": {
   	"cluster.name": "elasticsearch",
   	"index.number_of_shards": 1,
   	"index.number_of_replicas": 0,
   	"nuix.transport.hosts": ["127.0.0.1"],
    "nuix.http.hosts": ["127.0.0.1"] 
   }
}
'
{
    "caseId": "a571f00ec43d41538d9e8c4f0bf1bda5",
    "name": "HelloCompoundElasticsearchCase",
    "path": "/Cases/HelloCompoundElasticsearchCase",
    "description": "My first compound Elasticsearch case",
    "investigator": "Inspector Gadget",
    "creationDate": 1613154608469,
    "compound": true,
    "elastic": true,
    "binaryStoreLocation": "/Cases/HelloCompoundElasticsearchCase/Stores/BinaryStore",
    "indexId": "nuix-a571f00ec43d41538d9e8c4f0bf1bda5",
    "caseSize": 0,
    "casePathParent": "/Cases",
    "caseInvestigationTimeZone": "America/New_York",
    "hasExclusions": null,
    "hasNuixSystemTags": null,
    "hasProductionSets": null,
    "hasCalculatedAuditSize": null,
    "casePath": "/Cases/HelloCompoundElasticsearchCase",
    "caseDescription": "My first compound Elasticsearch case",
    "caseCreationDate": 1613154608469,
    "caseInvestigator": "Inspector Gadget",
    "caseName": "HelloCompoundElasticsearchCase"
}

You have now successfully created a compound Elasticsearch case. Take note of your case ID a571f00ec43d41538d9e8c4f0bf1bda5. Next, you need to add elastic simple child cases to the compound case. Let’s create two elastic simple child cases and add them to the compound case.

Create Elasticsearch child case 1

curl --location --request POST 'http://localhost:8080/nuix-restful-service/svc/v1/cases' \
--header 'nuix-auth-token: 9729a460-eda7-48dc-ba70-d12b3aae3c8d' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data-raw '{
   "name":"HelloElasticChild1",
   "location":"inventory0",
   "description":"My elastic child case 1",
   "compound":false,
   "investigator":"Inspector Gadget",
   "elasticSearchSettings": {
   	"cluster.name": "elasticsearch",
   	"index.number_of_shards": 1,
   	"index.number_of_replicas": 0,
   	"nuix.transport.hosts": ["127.0.0.1"],
    "nuix.http.hosts": ["127.0.0.1"] 
   }
}
'
{
    "caseId": "0d4060b5d16046e58172286266a80980",
    "name": "HelloElasticChild1",
    "path": "/Cases/HelloElasticChild1",
    "description": "My elastic child case 1",
    "investigator": "Inspector Gadget",
    "creationDate": 1613155151596,
    "compound": false,
    "elastic": true,
    "binaryStoreLocation": "/Cases/HelloElasticChild1/Stores/BinaryStore",
    "indexId": "nuix-0d4060b5d16046e58172286266a80980",
    "caseSize": 0,
    "casePathParent": "/Cases",
    "caseInvestigationTimeZone": "America/New_York",
    "hasExclusions": null,
    "hasNuixSystemTags": null,
    "hasProductionSets": null,
    "hasCalculatedAuditSize": null,
    "casePath": "/Cases/HelloElasticChild1",
    "caseDescription": "My elastic child case 1",
    "caseCreationDate": 1613155151596,
    "caseInvestigator": "Inspector Gadget",
    "caseName": "HelloElasticChild1"
}

Create Elasticsearch child case 2

curl --location --request POST 'http://localhost:8080/nuix-restful-service/svc/v1/cases' \
--header 'nuix-auth-token: 9729a460-eda7-48dc-ba70-d12b3aae3c8d' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data-raw '{
   "name":"HelloElasticChild2",
   "location":"inventory0",
   "description":"My elastic child case 2",
   "compound":false,
   "investigator":"Inspector Gadget",
   "elasticSearchSettings": {
   	"cluster.name": "elasticsearch",
   	"index.number_of_shards": 1,
   	"index.number_of_replicas": 0,
   	"nuix.transport.hosts": ["127.0.0.1"],
    "nuix.http.hosts": ["127.0.0.1"] 
   }
}
'
{
    "caseId": "8c680473e5274719a585ba77eb4f9ca5",
    "name": "HelloElasticChild2",
    "path": "/Cases/HelloElasticChild2",
    "description": "My elastic child case 2",
    "investigator": "Inspector Gadget",
    "creationDate": 1613155276207,
    "compound": false,
    "elastic": true,
    "binaryStoreLocation": "/Cases/HelloElasticChild2/Stores/BinaryStore",
    "indexId": "nuix-8c680473e5274719a585ba77eb4f9ca5",
    "caseSize": 0,
    "casePathParent": "/Cases",
    "caseInvestigationTimeZone": "America/New_York",
    "hasExclusions": null,
    "hasNuixSystemTags": null,
    "hasProductionSets": null,
    "hasCalculatedAuditSize": null,
    "casePath": "/Cases/HelloElasticChild2",
    "caseDescription": "My elastic child case 2",
    "caseCreationDate": 1613155276207,
    "caseInvestigator": "Inspector Gadget",
    "caseName": "HelloElasticChild2"
}

Add Elasticsearch child cases to an Elasticsearch compound case

Now you can add the two simple Elasticsearch child cases to your Elasticsearch compound case. The childCases endpoint simply acknowledges the addition of the child cases to the compound case by returning a HTTP status code of 200.

curl --location --request POST 'http://localhost:8080/nuix-restful-service/svc/v1/cases/a571f00ec43d41538d9e8c4f0bf1bda5/childCases' \
--header 'nuix-auth-token: 9729a460-eda7-48dc-ba70-d12b3aae3c8d' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data-raw '[ "0d4060b5d16046e58172286266a80980", "8c680473e5274719a585ba77eb4f9ca5" ]'

You have now successfully created a Elasticsearch compound case! Now, you can proceed to Part 5: Ingestion.