ElasticSPL allows for dynamic definition of time ranges and token replacements in DSL queries.
This is done for both
elasticquery. To test on how a DSL query is parsed the command
elasticparse can be used.
To query logs in Elastic Search in a similar fashion as in Splunk the timerange picker from Splunk searches can be used to add time constraints to DSL queries. This is available for DSL queries regardless of whether the query already contains time constraints.
To enable dynamic time range parsing the query has to be run with
timestamp_used set to
- Existing Timestamp
- Existing Match
- Existing Filter
- No Must nor Filter
- Must and Filter
If a DSL query already includes the key defined as
timestamp_field the values
$latest$ are replaced with the earliest and latest time of the current Splunk search
If a DSL query already contains a
bool expression an additional filter is added that filters events to the defined timerange
filter expression is found in the query an additional
range constraint for the timestamp is added
If the DSL query does not contain a
filter the entire existing query is taken and places within a
filter expression. Additionally a
range expression for the timestamp is added.
In case of both
range expression is added to
Replacements can be used to utilise a single query for different cases. As example is it possible to replace a filter for a username dynamically.
Values that are replaced in a DSL query have to be marked as such in surrounding the value with
$. The replacements are provided in a key value format. For the given query the replacements are defined as following: