[Bug] Keyerror on rule-survey hits (#2293)

2022-09-13 11:38:29 -04:00
parent 8c19e9ff6c
commit e3040d8019
1 changed files with 11 additions and 3 deletions
@@ -39,9 +39,17 @@ def parse_unique_field_results(rule_type: str, unique_fields: List[str], search_
    hits = hits['hits'] if rule_type != 'eql' else hits.get('events') or hits.get('sequences', [])
    for hit in hits:
        for field in unique_fields:
-            match = nested_get(hit['_source'], field)
-            if not match:
-                continue
+            if 'events' in hit:
+                match = []
+                for event in hit['events']:
+                    matched = nested_get(event['_source'], field)
+                    match.extend([matched] if not isinstance(matched, list) else matched)
+                    if not match:
+                        continue
+            else:
+                match = nested_get(hit['_source'], field)
+                if not match:
+                    continue

            match = ','.join(sorted(match)) if isinstance(match, list) else match
            parsed_results[field][match] += 1