Skip to main content
Version: 1.3.0

elasticparse

The command elasticparse previews how ElasticSPL would parse a DSL query with the provided user input. elasticparse performs the same actions as elasticadhoc and elasticadhocstats but does not execute the query.

Arguments

argumentrequiredformatdescription
queryyesstringescaped DSL JSON query
timestamp_fieldyesstringfield in Elasticsearch results containing the events timestamp
timestamp_usednobooleandefines if the time given in the Splunk Search is used for the query
timestamp_formatnostringpython strpftime format string
replacementsnostringkv-pairs used to replace tokens in query

Examples

Parsing Query with timestamp_used="False" and no replacements

| elasticparse  
  timestamp_used="False" 
  timestamp_format="" 
  timestamp_field="timestamp" 
  replacements="" 
  query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"

Parsing query with timestamp_used="True" and no replacements

| elasticparse  
  timestamp_used="True" 
  timestamp_format="" 
  timestamp_field="timestamp" 
  replacements="" 
  query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"

Parsing Query with timestamp_used="False" and replacements

| elasticparse  
  timestamp_used="False" 
  timestamp_format="" 
  timestamp_field="timestamp" 
  replacements="" 
  query="{\"query\":{\"bool\":{\"must\":{\"match\":{\"index\":\"kibana_sample_data_logs\"}}}}}"

Parsing query with timestamp_used="True" and replacements

| elasticparse  
  timestamp_used="True" 
  timestamp_format="" 
  timestamp_field="timestamp" 
  replacements="$index$=kibana_sample_data_logs" 
  query="{\"query\":{\"bool\":{\"must\":[{\"match\":{\"_index\":\"$index$\"}}]}}}"

Permissions

All users with the role elastic_user can use the command as elasticparse does not fetch any data