Skip to main content
Version: 1.0.0

elasticadhocstats

The command elasticadhocstats queries Elasticsearch with a DSL query provided in the search command itself. The command is helpful while testing a DSL query and for quick checks. Queries run by elasticadhocstats return aggregated data as results. Therefore, the data is formatted as a table. Timestamp fields and dynamic timestamp parsing are available with the command even though the returned data does not need to be time-series data. Due to the JSON nature of DSL queries, the command usually gets large and is hard to read. Therefore, if you need to repeat any DSL queries, the usage of elasticquerystats is strongly advised.

Arguments

argumentrequiredformatdescription
instanceyesstringelastic instance used by the query
queryyesstringescaped DSL JSON query
timestamp_fieldyesstringfield in Elasticsearch results containing the events timestamp
timestamp_usednobooleandefines if the time given in the Splunk Search is used for the query
replacementsnostringkv-pairs used to replace tokens in query

Examples

Get a distribution over the sales of products by time and product category

Kibana Graph

Permissions

Permissions

danger

Only elevated users should be able to run elasticadhocstats as the user can run arbitrary queries. The only restrictions applied while running elasticadhocstats are the access restrictions on instances and the user used to create the API token.

By default, the command elasticadhocstats is only visible to users with the role elastic_adhoc. Furthermore, the command checks the capabilities of the user running the command. An error message is shown to the user if the capability run_elastic_adhoc is unavailable. Additionally, RBAC on the instance selected by the user is performed. The user must have at least one role configured for the given instance to run any queries against it.