Workbench
The ElasticSPL Workbench allows running ad-hoc and saved queries using an interactive interface. In addition, it is possible to save given input as a new query or update an existing query.
Requirements and Restrictions
Depending on the roles assigned to the user, the Workbench allows specific operations. The following table shows the available operations for each role.
| Role | Run Ad-Hoc Query | Load Query | Run Saved Query | Create Query | Update Query |
|---|---|---|---|---|---|
| elasticspl_user | ❌ | ✅ | ✅ | ❌ | ❌ |
| elasticspl_adhoc | ✅ | ✅ | ✅ | ❌ | ❌ |
| elasticspl_power | ❌ | ✅ | ✅ | ✅ | ✅ |
| elasticspl_admin | ✅ | ✅ | ✅ | ✅ | ✅ |
It is possible to assign multiple roles to a user. The user will then be able to perform all operations that are allowed by the assigned roles. For example, a user with the roles elasticspl_adhoc and elasticspl_user will be able to load and run saved queries but not create or update them. In addition, the user will be able to edit the loaded fields and run the query as an ad-hoc query.
Using the Workbench
If the query leads to any errors they are shown between the Query Post Processing and Query Results sections. All info messages are available by clicking the info button on the right side of the results section.
Info Messages
Error Messages
Creating a Saved Query
To create a new saved query, the user must have the role elasticspl_power assigned.
- Visit the Workbench page by clicking on the Workbench link in the navigation bar.
- Ensure that the
QueryDropdown is set toSelect a Query. - Provide input in the search bar used for the
WHEREportion of the S3 Select SQL. - Click on
Query Optionsto extend the collapsible and get access to the additional options. - Provide inputs to the
Query Optionssection. For more information about the options, please refer to the Query documentation. - Click the
Savebutton to open theAdd Querymodal. - Add a name, description and the required information on the permission slider and click the
Savebutton to save the query. If the button is disabled, some input is missing or invalid.
Feel free to test your query by selecting an instance and clicking the magnifying lens button. This will execute the query and display the results. If the query is invalid, an error will be shown in the results section.
Click to see a screenshot of the Save button on the Workbench page.
Save button on the Workbench page.
Running an Ad-Hoc Query
To run an ad-hoc query, the user must have the role elasticspl_adhoc assigned.
Executing an ad-hoc query is similar to creating a new query. The only difference is that the query is not saved, only run. To run an ad-hoc query, follow steps 1-5 described in the section Creating a Saved Query and complete the following steps:
- Select on which instance the query should be executed in the
Instancedropdown. - Click the
magnifying lensbutton to execute the query. If the button is disabled, some input is missing or invalid. - The results will be displayed in the results section. If the query is invalid, an error will be shown in the results section. Make sure to check if there are any errors or warnings shown in the top right corner of the results section.
In addition to an event-based query, you can add a post-processing SPL search by clicking on Query Post Processing and providing a transforming SPL search. The results of the event-based query will be available in the Events tab, and results of the post-processing SPL search will be available in the Table tab and can be visualized using the Visualisation tab.
Click to see a screenshot of the Query Post Processing section including visualization as a pie chart.
Query Post Processing section including visualization as a pie chart.
Running a Saved Query
To load and run a saved query, the user must have the role elasticspl_user assigned.
- Visit the Workbench page by clicking on the Workbench link in the navigation bar.
- Select the query you want to run in the
Querydropdown. - Select on which instance the query should be executed in the
Instancedropdown. - Click the
magnifying lensbutton to execute the query. If the button is disabled, some input is missing or invalid. - The results will be displayed in the results section.
If the current user has the role elasticspl_adhoc assigned, the input fields are enabled and the user can run a modified version of the query as an ad-hoc query. The modified query will not be saved.
Updating a Saved Query
To load and update a saved query, the user must have the role elasticspl_power assigned and must be a member of one of the query's writing groups.
Updating a saved query is similar to running a saved query. The only difference is that the query is not executed, only loaded. To update a saved query, follow steps 1-4 described in the section Running a Saved Query and complete the following steps:
- Edit any of the input fields in the sidebar.
- If you want to update the query, click the
Updatebutton to open theUpdate Querymodal. - Click the
Updatebutton to save the query. If the button is disabled, some input is missing or invalid.
Click to see a screenshot of the Update button on the Workbench page.
Update button on the Workbench page.