elasticquery
The command elasticquery queries time-series data in Elasticsearch with a DSL query saved in ElasticSPL. elasticquery allows the usage of complex and long queries without having huge search statements. Furthermore, the usage of saved queries allows sharing of queries with other users and allows for access restrictions.
Arguments
| argument | required | format | description |
|---|---|---|---|
| instance | yes | string | elastic instance used by the query |
| search_name | yes | string | name of the saved query |
| timestamp_field | no | string | field in Elasticsearch results containing the events timestamp |
| timestamp_used | no | boolean | defines if the time given in the Splunk Search is used for the query |
| timestamp_format | no | string | python strpftime format string |
| replacements | no | string | kv-pairs used to replace tokens in query |
A saved DSL query defines default values for timestamp_field, timestamp_used, timestamp_format, and replacements`. As long as the user does not provide the argument, the value stored with the query is used. In case of replacements, the KV-pairs are merged. The user-provided input takes precedence if there is a definition for a key in the user's input and the saved arguments.
Examples
Query index kibana_sample_data_logs with default values
kibana_sample_data_logs with default values- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| timestamp_format | |
| replacements |
{
"query":{
"bool":{
"must":{
"match":{
"index":"kibana_sample_data_logs"
}
}
}
}
}
{
"query":{
"bool":{
"must":{
"match":{
"index":"kibana_sample_data_logs"
}
}
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_1"
Query index kibana_sample_data_logs with timestamp_used="True"
kibana_sample_data_logs with timestamp_used="True"- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| timestamp_format | |
| replacements |
{
"query":{
"bool":{
"must":{
"match":{
"index":"kibana_sample_data_logs"
}
}
}
}
}
{
"query":{
"bool":{
"must":[
{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"range":{
"timestamp":{
"gte":1652970540000,
"lte":1652974179000,
"format":"epoch_millis"
}
}
}
]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_1"
timestamp_used="True"
Query index kibana_sample_data_logs with defined replacements to select a specific IP address
kibana_sample_data_logs with defined replacements to select a specific IP address- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| timestamp_format | |
| replacements |
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "$ip$"
}
}]
}
}
}
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "120.49.143.213"
}
}]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_2"
replacements="$ip$=120.49.143.213"
Query index kibana_sample_data_logs with defined replacements to select a specific IP address and timestamp_used="True"
kibana_sample_data_logs with defined replacements to select a specific IP address and timestamp_used="True"- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| timestamp_format | |
| replacements |
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "$ip$"
}
}]
}
}
}
{
"query":{
"bool":{
"must":[
{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match":{
"ip":"120.49.143.213"
}
},
{
"range":{
"timestamp":{
"gte":1652970960000,
"lte":1652974604000,
"format":"epoch_millis"
}
}
}
]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_2"
replacements="$ip$=120.49.143.213"
Query index kibana_sample_data_logs conflicting replacements
kibana_sample_data_logs conflicting replacements- Default Values
- Query
- Parsed Query
- Splunk Search
| Default Field | Default Value |
|---|---|
| timestamp_field | timestamp |
| timestamp_used | false |
| timestamp_format | |
| replacements | $ip$=199.233.207.139 |
{
"query":{
"bool":{
"must":[{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match": {
"ip": "$ip$"
}
}]
}
}
}
{
"query":{
"bool":{
"must":[
{
"match":{
"index":"kibana_sample_data_logs"
}
},
{
"match":{
"ip":"120.49.143.213"
}
}
]
}
}
}
| elasticquery
instance="elastic_cluster"
search_name="docs_3"
replacements="$ip$=120.49.143.213"
Permissions
Each query is assigned to at least one role. In addition to capability checks on the operations list, run, and crud on a query, the assigned roles are checked. Users interacting with a query have to have at least one role in common.
List
The capability list_elastic_query is required to be able to view any queries. This capability is by default enabled for the role elastic_query_list. The app checks for overlap in roles while loading queries and only show relevant queries to the user.
Run
The capability run_elastic_query is required to run any query. This capability is by default enabled for the role elastic_query_run. As a user needs to be able to list queries to run them, the role imports elastic_query_list.
At the execution of a query, the app checks if the user and query have any roles in common. The execution stops, and an error message appears if there is no overlap in roles. Additionaly, the command checks if the current user is allowed to run any queries against the provided instance.
CRUD
The capability edit_elastic_query is required to perform any CRUD action. This capability is by default enabled for the role elastic_query_edit. The role elastic_query_edit imports both elastic_query_run and elastic_query_list.