elasticadhocstats

The command elasticadhocstats queries Elasticsearch with DSL or ES|QL provided in the search command itself. The command is helpful while testing a query and for quick checks. Queries run by elasticadhocstats return aggregated data as results. Therefore, the data is formatted as a table. Timestamp fields and dynamic timestamp parsing are available with the command even though the returned data does not need to be time-series data. The command usually gets large and is hard to read. Therefore, if you need to repeat any queries, the usage of elasticquerystats is strongly advised.

Arguments

argument	required	format	description
instance	yes	string	elastic instance used by the query
query	yes	string	escaped query
timestamp_field	yes	string	field in Elasticsearch results containing the events timestamp
timestamp_used	no	boolean	defines if the time given in the Splunk Search is used for the query
replacements	no	string	kv-pairs used to replace tokens in query
mode	no	string	"stats", "esql" or "esql", defaults to "stats"

Examples

Get a distribution over the sales of products by time and product category

Kibana Graph

Query

{
   "aggs":{
      "0":{
         "terms":{
            "field":"category.keyword",
            "order":{
               "_count":"desc"
            },
            "size":100
         },
         "aggs":{
            "1":{
               "date_histogram":{
                  "field":"order_date",
                  "calendar_interval":"1h",
                  "time_zone":"Europe/Zurich"
               }
            }
         }
      }
   },
   "size":0,
   "fields":[
      {
         "field":"customer_birth_date",
         "format":"date_time"
      },
      {
         "field":"order_date",
         "format":"date_time"
      },
      {
         "field":"products.created_on",
         "format":"date_time"
      }
   ],
   "script_fields":{
      
   },
   "stored_fields":[
      "*"
   ],
   "runtime_mappings":{
      
   },
   "_source":{
      "excludes":[
         
      ]
   }
}

Splunk Search

| elasticadhocstats 
  instance="dev" 
  timestamp_used="false" 
  timestamp_format="" 
  timestamp_field="" 
  replacements="" 
  query="{\"aggs\":{\"0\":{\"terms\":{\"field\":\"category.keyword\",\"order\":{\"_count\":\"desc\"},\"size\":100},\"aggs\":{\"1\":{\"date_histogram\":{\"field\":\"order_date\",\"calendar_interval\":\"1h\",\"time_zone\":\"Europe/Zurich\"}}}}},\"size\":0,\"fields\":[{\"field\":\"customer_birth_date\",\"format\":\"date_time\"},{\"field\":\"order_date\",\"format\":\"date_time\"},{\"field\":\"products.created_on\",\"format\":\"date_time\"}],\"script_fields\":{},\"stored_fields\":[\"*\"],\"runtime_mappings\":{},\"_source\":{\"excludes\":[]}}" 
| extract
| spath input=bucket output=buckets path=1.buckets{}
| spath input=bucket output=product_type path=key
| fields product_type buckets
| mvexpand buckets
| spath input=buckets
| eval _time = key / 1000
| timechart span=24h sum(doc_count) by product_type

Splunk Graph

Permissions

Permissions

danger

Only elevated users should be able to run elasticadhocstats as the user can run arbitrary queries. The only restrictions applied while running elasticadhocstats are the access restrictions on instances and the user used to create the API token.

By default, the command elasticadhocstats is only visible to users with the role elastic_adhoc. Additionally, RBAC on the instance selected by the user is performed. The user must have at least one role configured for the given instance to run any queries against it.