elasticadhoc
The command elasticadhoc queries Elasticsearch with a DSL / Lucene query provided in the search command itself. The command is helpful while testing a DSL query and for quick checks. However, due to the JSON nature of DSL queries, the command usually gets large and is hard to read. Therefore, if you need to repeat any DSL queries, the usage of elasticquery is strongly advised.
More information regarding the DSL syntax is available in the Elasticsearch documentation. The Lucene query syntax is described in the Apache Lucene documentation.
Arguments
| argument | required | format | description |
|---|---|---|---|
| instance | yes | string | elastic instance used by the query |
| mode | no | string | "ts" or "lucene" defaults to "ts" |
| query | yes | string | escaped DSL JSON query |
| timestamp_field | yes | string | field in Elasticsearch results containing the events timestamp |
| timestamp_used | no | boolean | defines if the time given in the Splunk Search is used for the query |
| replacements | no | string | kv-pairs used to replace tokens in query |
| max_results | no | int | the maximal count of events fetched from Elasticsearch, defaults to unlimited. scroll_size if max_results < scroll_size |
| scroll_size | no | int | scroll size used for fetching data from Elasticsearch, can be adapted if facing performance problems |
Examples
Query index kibana_sample_data_logs with time constraints set using the searches timerange
kibana_sample_data_logs with time constraints set using the searches timerange| elasticadhoc
instance="elastic_cluster"
timestamp_used="true"
timestamp_field="timestamp"
replacements=""
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"
Query index kibana_sample_data_logs without time constraints
kibana_sample_data_logs without time constraints| elasticadhoc
instance="elastic_cluster"
timestamp_used="false"
timestamp_field="timestamp"
replacements=""
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"
Query index kibana_sample_data_logs using replacement and within the time selected in timerangepicker of Splunk search
kibana_sample_data_logs using replacement and within the time selected in timerangepicker of Splunk search| elasticadhoc
instance="elastic_cluster"
timestamp_used="true"
timestamp_field="timestamp"
replacements="$index$=kibana_sample_data_logs"
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"$index$\"}}}}}"
Query index kibana_sample_data_logs using replacement and without time constraints
kibana_sample_data_logs using replacement and without time constraints| elasticadhoc
instance="elastic_cluster"
timestamp_used="false"
timestamp_field="timestamp"
replacements="$index$=kibana_sample_data_logs"
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"$index$\"}}}}}"
Permissions
Only elevated users should be able to run elasticadhoc as the user can run arbitrary queries.
The only restrictions applied while running elasticadhoc are the access restrictions on instances and the user used to create the API token.
By default, the command elasticadhoc is only visible to users with the role elastic_adhoc. Additionally, RBAC on the instance selected by the user is performed. The user must have at least one role configured for the given instance to run any queries against it.