elasticquerystats
The command elasticquerystats queries aggregated data in Elasticsearch with a DSL query saved in ElasticSPL. Queries run by elasticquerystats return aggregated data as results. Therefore, the data is formatted as a table. Timestamp fields and dynamic timestamp parsing are available with the command even though the returned data does not need to be time-series data.
Arguments
| argument | required | format | description |
|---|---|---|---|
| instance | yes | string | elastic instance used by the query |
| search_name | yes | string | name of the saved query |
| timestamp_field | no | string | field in Elasticsearch data containing the events timestamp |
| timestamp_used | no | boolean | defines if the time given in the Splunk Search is used for the query |
| replacements | no | string | kv-pairs used to replace tokens in query |
| mode | no | string | "stats" or "esql", defaults to "stats" |
A saved DSL query defines default values for timestamp_field, timestamp_used, timestamp_format, and replacements`. As long as the user does not provide the argument, the value stored with the query is used. In case of replacements, the KV-pairs are merged. The user-provided input takes precedence if there is a definition for a key in the user's input and the saved arguments.
Examples
Get a distribution over the sales of products by time and product category
- Kibana Graph
- Default Values
- Saved Query
- Splunk Search
- Splunk Graph
| Default Field | Default Value |
|---|---|
| timestamp_field | |
| timestamp_used | false |
| timestamp_format | |
| replacements |
{
"aggs":{
"0":{
"terms":{
"field":"category.keyword",
"order":{
"_count":"desc"
},
"size":100
},
"aggs":{
"1":{
"date_histogram":{
"field":"order_date",
"calendar_interval":"1h",
"time_zone":"Europe/Zurich"
}
}
}
}
},
"size":0,
"fields":[
{
"field":"customer_birth_date",
"format":"date_time"
},
{
"field":"order_date",
"format":"date_time"
},
{
"field":"products.created_on",
"format":"date_time"
}
],
"script_fields":{
},
"stored_fields":[
"*"
],
"runtime_mappings":{
},
"_source":{
"excludes":[
]
}
}
| elasticquerystats instance="dev" search_name="docs_1" timestamp_used=false
| spath input=bucket output=buckets path=1.buckets{}
| spath input=bucket output=product_type path=key
| fields product_type buckets
| mvexpand buckets
| spath input=buckets
| eval _time = key / 1000
| timechart span=24h sum(doc_count) by product_type
Permissions
All users with the role elastic_user can run the elasticquerystats command. The command itself does not grant any access to the data. The access to the data is controlled by the saved query. The saved query has an access control list that defines which users are allowed to run the query. The access control list is managed in the configuration dashboard of ElasticSPL.