PSElasticSearch.psm1

function Get-Elasticdata{
    param(
    $index,
    $body,
    $server,
    [string]$port="9200",
    [switch]$scroll,
    $size=100,
    $simplequery
    )
    
    if($scroll){
        #Send query and get scroll id for retrieval
        if ($simplequery -and !$body){ #if check for simple or complex query
            $scrollrequest=Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?q=$simplequery&scroll=1m" -Method get -ContentType 'application/json'
        }else{
            $scrollrequest=Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?scroll=1m" -Body $body -Method post -ContentType 'application/json'
        }
        
        #build object for scroll result retrival
        $scrollgetbody=[pscustomobject]@{
            scroll = "1m"
            scroll_id = "$($scrollrequest._scroll_id)"
        } | ConvertTo-Json
        #loop all scroll results
        do{
            $scrollreqresult=$null #reset variable so that end of results can be detected
            $scrollreqresult=Invoke-RestMethod -Uri "http://$server`:$port/_search/scroll" -Body $scrollgetbody -Method post -ContentType 'application/json' #get scroll results 10 at a time
            $scrollreqresult #output scroll results
        }while($scrollreqresult.hits.hits)#loop to output scroll results while there are results being delivered by elastic
    }
    else{ #If no scroll do query and return specified number of results
        if ($simplequery -and !$body){ #if check for simple or complex query
            Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?q=$simplequery&size=$size" -Method get -ContentType 'application/json'
        }else{
            Invoke-RestMethod -Uri "http://$server`:$port/$index/_search/?size=$size" -Body $body -Method post -ContentType 'application/json'
        }
    }
    
}


function Convert-Elasticdata {
    [CmdletBinding()]
    param(
    [Parameter(ValueFromPipeline)]$item,
    $inputtype,
    $resulttype
    )
    
    switch($inputtype){
    
        netflow {
            switch($resulttype){
                toptalkers {
                    $item.aggregations.source.buckets | ForEach-Object {
                        [pscustomobject]@{
                            Host = $_.key
    
                            Megabytes = [math]::round($_.totalbytes.value/1MB, 1)
                        }
                    }
                }
            }
        }
        pfsense {
            switch ($resulttype){
                failedlogons {
                    $logon=$item.hits.hits._source | where {$_.message -like "*authentication error*"}
                    [pscustomobjct]@{
                        username = $logon.pfsense_USER
                        source_IP = $logon.split(":")[2]
                    }
                }
            }
        }
    
    }
     
}