Elasticsearch Case Subset

This example creates an Elasticsearch case subset of all *.html files from an existing case.

Example Scripts

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
class ElasticsearchCaseSubset
  def initialize(exportPath, query)
        @exportPath = exportPath
        @query = query
        @out = Hash.new
        @exceptions = Array.new
  end

  def process
    begin
      items = $current_case.search(@query);
      @out[:item_count] = items.size();
      @out[:exportPath] = @exportPath
      options = {
        "evidenceStoreCount" => 1,
        "includeFamilies" => false,
        "copyTags" => false,
        "copyComments" => false,
        "copyCustodians" => false,
        "copyItemSets" => false,
        "copyClassifiers" => false,
        "copyMarkupSets" => false,
        "copyProductionSets" => false,
        "copyClusters" => false,
        "copyCustomMetadata" => false,
        "caseMetadata" => {
          "name" => "ESCaseSubset",
          "description" => "About My simple Case",
          "investigator" => "Inspector Gadget",
          "elasticSearchSettings" => {
            "index.refresh_interval" => "60s",
            "nuix.transport.hosts" => "127.0.0.1:9300",
            "cluster.name" => "elasticsearch",
            "index.number_of_replicas" => "0",
            "nuix.index.auto_close" => "false",
            "index.number_of_shards" => "5",
            "xpack.security.transport.ssl.enabled" => "false"
            }
        }
      }
      @out[:started] = Time.now.strftime('%Y-%m-%d_%H-%M-%S')
      $utilities.getCaseSubsetExporter().exportItems(items, @exportPath, options);
    rescue => exception
       @exceptions << {:class => exception.class.name, :message => exception.message}
    end
    @out[:exceptions] = @exceptions
    @out[:finished] = Time.now.strftime('%Y-%m-%d_%H-%M-%S')
    return @out
  end
end
$response.setBody(ElasticsearchCaseSubset.new("/Cases/ESCaseSubsetUserScript", "file-extension:html").process)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
function ElasticsearchCaseSubset(exportPath, query) {
  this.exportPath = exportPath;
  this.query = query;
}

ElasticsearchCaseSubset.prototype.process = function() {
  var out = {};
  try {
    var items = current_case.search(this.query);
    out['item_count'] = items.length;
    out['exportPath'] = this.exportPath;

    var options = {};
    options['evidenceStoreCount'] = 1;
    options['includeFamilies'] = false;
    options['copyTags'] = false;
    options['copyComments'] = false;
    options['copyCustodians'] = false;
    options['copyItemSets'] = false;
    options['copyClassifiers'] = false;
    options['copyMarkupSets'] = false;
    options['copyProductionSets'] = false;
    options['copyClusters'] = false;
    options['copyCustomMetadata'] = false;

    var elasticSearchSettings = {};
    elasticSearchSettings['index.refresh_interval'] = '60s';
    elasticSearchSettings['nuix.transport.hosts'] = '127.0.0.1:9300';
    elasticSearchSettings['cluster.name'] = 'elasticsearch';
    elasticSearchSettings['index.number_of_replicas'] = '0';
    elasticSearchSettings['nuix.index.auto_close'] = 'false';
    elasticSearchSettings['index.number_of_shards'] = '5';
    elasticSearchSettings['xpack.security.transport.ssl.enabled'] = 'false';

    var caseMetadata = {};
    caseMetadata['name'] = 'ESCaseSubset';
    caseMetadata['description'] = 'About my simple case.';
    caseMetadata['investigator'] = 'Inspector Gadget';
    caseMetadata['elasticSearchSettings'] = elasticSearchSettings;

    options['caseMetadata'] = caseMetadata;

    out['started'] = new Date().getTime().toString();
    utilities.getCaseSubsetExporter().exportItems(items, this.exportPath, options);
  } catch(err) {
    out['exceptions'] = err.message;
  }
  out['finished'] = new Date().getTime().toString();
  return out;
}

$response.setBody(new ElasticsearchCaseSubset("/Cases/ESCaseSubsetUserScript", "file-extension:html").process())
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import time

class ElasticsearchCaseSubset: 

  def __init__(self, exportPath, query): 
    self.exportPath = exportPath 
    self.query = query
    self.out = {}
    self.exceptions = []

  def process(self):
    try:
      items = current_case.search(self.query);
      self.out['item_count'] = len(items)    
      self.out['exportPath'] = self.exportPath

      options = {
        "evidenceStoreCount": 1,
        "includeFamilies": False,
        "copyTags": False,
        "copyComments": False,
        "copyCustodians": False,
        "copyItemSets": False,
        "copyClassifiers": False,
        "copyMarkupSets": False,
        "copyProductionSets": False,
        "copyClusters": False,
        "copyCustomMetadata": False,
        "caseMetadata": {
          "name": "ESCaseSubset",
          "description": "About My simple Case",
          "investigator": "Inspector Gadget",
          "elasticSearchSettings": {
            "index.refresh_interval": "60s",
            "nuix.transport.hosts": "127.0.0.1:9300",
            "cluster.name": "elasticsearch",
            "index.number_of_replicas": "0",
            "nuix.index.auto_close": "false",
            "index.number_of_shards": "5",
            "xpack.security.transport.ssl.enabled": "false"
          }
        }
      }
      self.out['started'] = int(round(time.time() * 1000))
      utilities.getCaseSubsetExporter().exportItems(items, self.exportPath, options);
    except Exception, e: 
      self.exceptions.append(str(e))

    self.out['finished'] = int(round(time.time() * 1000))
    return self.out

processor = ElasticsearchCaseSubset("/Cases/ESCaseSubsetUserScript", "file-extension:html")
response.setBody(processor.process())

Example Request

curl --location --request PUT 'http://localhost:8080/nuix-restful-service/svc/v1/cases/ab490af89d29460db0011f105ce6a340/userScripts' \
--header 'nuix-auth-token: YOUR_AUTH_TOKEN' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data-raw '{
  "fileName": "ElasticsearchCaseSubset.rb",
  "language": "RUBY",
  "async": false
}'
wget --no-check-certificate --quiet \
  --method PUT \
  --timeout=0 \
  --header 'nuix-auth-token: YOUR_AUTH_TOKEN' \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --body-data '{
  "fileName": "ElasticsearchCaseSubset.rb",
  "language": "RUBY",
  "async": false
}' \
   'http://localhost:8080/nuix-restful-service/svc/v1/cases/ab490af89d29460db0011f105ce6a340/userScripts'
Last modified January 13, 2020