elasticadhoc
The command elasticadhoc queries Elasticsearch with a DSL, Lucene or ES|QL query provided in the search command itself. The command is helpful while testing a query and for quick checks. However, due to the size and format of the query, the command usually gets hard to read. Therefore, if you need to repeat any queries, the usage of elasticquery is strongly advised.
More information regarding the DSL syntax is available in the Elasticsearch Query DSL documentation. The Lucene query syntax is described in the Apache Lucene documentation. The ES|QL Syntax is described in the Elasticsearch ES|QL reference
Arguments
| argument | required | format | description |
|---|---|---|---|
| instance | yes | string | elastic instance used by the query |
| mode | no | string | "ts", "lucene" or "esql", defaults to "ts" |
| query | yes | string | escaped DSL JSON query or ES|QL query |
| timestamp_field | yes | string | field in Elasticsearch results containing the events timestamp |
| timestamp_used | no | boolean | defines if the time given in the Splunk Search is used for the query |
| replacements | no | string | kv-pairs used to replace tokens in query |
| max_results | no | int | the maximal count of events fetched from Elasticsearch, defaults to unlimited. scroll_size if max_results < scroll_size |
| scroll_size | no | int | scroll size used for fetching data from Elasticsearch, can be adapted if facing performance problems |
Examples
Query index kibana_sample_data_logs with time constraints set using the searches timerange (DSL)
kibana_sample_data_logs with time constraints set using the searches timerange (DSL)| elasticadhoc
instance="elastic_cluster"
timestamp_used="true"
timestamp_field="timestamp"
replacements=""
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"
Query index kibana_sample_data_logs without time constraints (DSL)
kibana_sample_data_logs without time constraints (DSL)| elasticadhoc
instance="elastic_cluster"
timestamp_used="false"
timestamp_field="timestamp"
replacements=""
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"
Query index kibana_sample_data_logs using replacement and within the time selected in timerangepicker of Splunk search (DSL)
kibana_sample_data_logs using replacement and within the time selected in timerangepicker of Splunk search (DSL)| elasticadhoc
instance="elastic_cluster"
timestamp_used="true"
timestamp_field="timestamp"
replacements="$index$=kibana_sample_data_logs"
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"$index$\"}}}}}"
Query index kibana_sample_data_logs using replacement and without time constraints (DSL)
kibana_sample_data_logs using replacement and without time constraints (DSL)| elasticadhoc
instance="elastic_cluster"
timestamp_used="false"
timestamp_field="timestamp"
replacements="$index$=kibana_sample_data_logs"
query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"$index$\"}}}}}"
Query index kibana_sample_data_logs using replacement and with time constraints (ES|QL)
kibana_sample_data_logs using replacement and with time constraints (ES|QL)| elasticadhoc
instance="elastic_cluster"
mode="esql"
replacements="$ip$=172.16.1.232"
timestamp_field="@timestamp"
timestamp_used="true"
query="FROM kibana_sample_data_logs | WHERE @timestamp > $earliest$ AND source_ip=='172.16.1.232'"
Permissions
Only elevated users should be able to run elasticadhoc as the user can run arbitrary queries.
The only restrictions applied while running elasticadhoc are the access restrictions on instances and the user used to create the API token.
By default, the command elasticadhoc is only visible to users with the role elastic_adhoc. Additionally, RBAC on the instance selected by the user is performed. The user must have at least one role configured for the given instance to run any queries against it.