From 9813e55d134e6a20432cbbcf30e13b9c9ffc678b Mon Sep 17 00:00:00 2001
From: vpiserchia <2363618+vpiserchia@users.noreply.github.com>
Date: Thu, 6 Feb 2025 11:55:22 +0100
Subject: [PATCH] Update elk.py to not fail when @timestamp has no mapping

https://github.com/TheHive-Project/Cortex-Analyzers/issues/1290
---
 analyzers/Elasticsearch/elk.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/analyzers/Elasticsearch/elk.py b/analyzers/Elasticsearch/elk.py
index 5a5c84475..1d1891cde 100755
--- a/analyzers/Elasticsearch/elk.py
+++ b/analyzers/Elasticsearch/elk.py
@@ -195,8 +195,24 @@ def run(self):
                     info['querystring'] += '"'
                 #loop to get hits from each index
                 for index in self.index:
+                    body = {
+                        "sort": [
+                            {
+                                "@timestamp": {
+                                    "order": "desc",
+                                    "unmapped_type" : "date"
+                                }
+                            }
+                        ],
+                        "query": {
+                            "multi_match": {
+                                "query": self.data,
+                                "fields": self.fields
+                            }
+                        }
+                    }
                     #search elastic for fields in each index
-                    res = es.search(size=self.size,index=index,body={'sort':[{"@timestamp":{"order":"desc"}}],'query':{'multi_match':{'query':self.data, 'fields':self.fields}}})
+                    res = es.search(size=self.size,index=index,body=body)
                     #if relation is gte then more logs exist than we will display
                     if res['hits']['total']['relation'] == 'gte' or res['hits']['total']['relation'] == 'gt':
                         total = 'gte'