elasticquery
The command elasticquery queries time-series data in Elasticsearch with a DSL query saved in ElasticSPL. elasticquery allows the usage of complex and long queries without having huge search statements. Furthermore, the usage of saved queries allows sharing of queries with other users and allows for access restrictions.
Arguments
| argument | required | format | description |
|---|---|---|---|
| instance | yes | string | elastic instance used by the query |
| search_name | yes | string | name of the saved query |
| timestamp_field | no | string | field in Elasticsearch results containing the events timestamp |
| timestamp_used | no | boolean | defines if the time given in the Splunk Search is used for the query |
| replacements | no | string | kv-pairs used to replace tokens in query |
| max_results | no | int | the maximal count of events fetched from Elasticsearch, defaults to unlimited. scroll_size if max_results < scroll_size |
| scroll_size | no | int | scroll size used for fetching data from Elasticsearch, can be adapted if facing performance problems |
A saved DSL query defines default values for timestamp_field, timestamp_used, timestamp_format, and replacements`. As long as the user does not provide the argument, the value stored with the query is used. In case of replacements, the KV-pairs are merged. The user-provided input takes precedence if there is a definition for a key in the user's input and the saved arguments.
Examples
Query index kibana_sample_data_logs with default values
kibana_sample_data_logs with default values- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements |
{
"query":{
"bool":{
"must":{
"match":{
"index":"kibana_sample_data_logs"
}
}
}
}
}
{
"query":{
"bool":{
"must":{
"match":{
"index":"kibana_sample_data_logs"
}
}
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_1"
Query index kibana_sample_data_logs with timestamp_used="True"
kibana_sample_data_logs with timestamp_used="True"- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements |
{
"query":{
"bool":{
"must":{
"match":{
"index":"kibana_sample_data_logs"
}
}
}
}
}
{
"query":{
"bool":{
"must":[
{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"range":{
"timestamp":{
"gte":1652970540000,
"lte":1652974179000,
"format":"epoch_millis"
}
}
}
]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_1"
timestamp_used="True"
Query index kibana_sample_data_logs with defined replacements to select a specific IP address
kibana_sample_data_logs with defined replacements to select a specific IP address- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements |
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "$ip$"
}
}]
}
}
}
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "120.49.143.213"
}
}]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_2"
replacements="$ip$=120.49.143.213"
Query index kibana_sample_data_logs with defined replacements to select a specific IP address and timestamp_used="True"
kibana_sample_data_logs with defined replacements to select a specific IP address and timestamp_used="True"- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements |
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "$ip$"
}
}]
}
}
}
{
"query":{
"bool":{
"must":[
{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match":{
"ip":"120.49.143.213"
}
},
{
"range":{
"timestamp":{
"gte":1652970960000,
"lte":1652974604000,
"format":"epoch_millis"
}
}
}
]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_2"
replacements="$ip$=120.49.143.213"
Query index kibana_sample_data_logs conflicting replacements
kibana_sample_data_logs conflicting replacements- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements | $ip$=199.233.207.139 |
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "$ip$"
}
}]
}
}
}
{
"query":{
"bool":{
"must":[
{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match":{
"ip":"120.49.143.213"
}
}
]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_3"
replacements="$ip$=120.49.143.213"
Permissions
All users with the role elastic_user can run the elasticquery command. The command itself does not grant any access to the data. The access to the data is controlled by the saved query. The saved query has an access control list that defines which users are allowed to run the query. The access control list is managed in the configuration dashboard of ElasticSPL.