Skip to main content
Version: 1.0.0

elasticparse

The command elasticparse previews how ElasticSPL would parse a DSL query with the provided user input. elasticparse performs the same actions as elasticadhoc and elasticadhocstats but does not execute the query.

Arguments

argumentrequiredformatdescription
queryyesstringescaped DSL JSON query
timestamp_fieldyesstringfield in Elasticsearch results containing the events timestamp
timestamp_usednobooleandefines if the time given in the Splunk Search is used for the query
timestamp_formatnostringpython strpftime format string
replacementsnostringkv-pairs used to replace tokens in query

Examples

Parsing Query with timestamp_used="False" and no replacements

| elasticparse  
timestamp_used="False"
timestamp_format=""
timestamp_field="timestamp"
replacements=""
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"

Parsing query with timestamp_used="True" and no replacements

| elasticparse  
timestamp_used="True"
timestamp_format=""
timestamp_field="timestamp"
replacements=""
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"

Parsing Query with timestamp_used="False" and replacements

| elasticparse  
timestamp_used="False"
timestamp_format=""
timestamp_field="timestamp"
replacements=""
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"

Parsing query with timestamp_used="True" and replacements

| elasticparse  
timestamp_used="True"
timestamp_format=""
timestamp_field="timestamp"
replacements="$index$=kibana_sample_data_logs"
query="{\"query\":{\"bool\":{\"must\":[{\"match\":{\"_index\":\"$index$\"}}]}}}"

Permissions

All users with the role elastic_user can use the command as elasticparse does not fetch any data