From 748ac2e20685cf6d3be7cbdce3ca92b89ff7166a Mon Sep 17 00:00:00 2001
From: Florian GAULTIER <fgaultier@vente-privee.com>
Date: Wed, 29 May 2019 16:05:53 +0200
Subject: [PATCH] Dont combine multiple queries

---
 tools/sigma/backends/elasticsearch.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index b0abd67fd..42739f4fe 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -744,7 +744,7 @@ class ElastalertBackend(MultiRuleOutputMixin):
                     if idx == agg.aggfunc:
                         funcname = name
                         break
-                raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname)) 
+                raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname))
 
     def convertLevel(self, level):
         return {
@@ -772,7 +772,7 @@ class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend):
         super().generateBefore(parsed)
         super().generateQuery(parsed)
         super().generateAfter(parsed)
-        return self.queries
+        return [self.queries[-1]]
 
 class ElastalertBackendQs(ElastalertBackend, ElasticsearchQuerystringBackend):
     """Elastalert backend"""