Version: 1.3.0

Workbench

The ElasticSPL Workbench allows running ad-hoc and saved queries using an interactive interface. In addition, it is possible to save given input as a new query or update an existing query.

Workbench Overview

Requirements and Restrictions

Depending on the roles assigned to the user, the Workbench allows specific operations. The following table shows the available operations for each role.

Role	Run Ad-Hoc Query	Load Query	Run Saved Query	Create Query	Update Query
elasticspl_user	❌	✅	✅	❌	❌
elasticspl_adhoc	✅	✅	✅	❌	❌
elasticspl_power	❌	✅	✅	✅	✅
elasticspl_admin	✅	✅	✅	✅	✅

It is possible to assign multiple roles to a user. The user will then be able to perform all operations that are allowed by the assigned roles. For example, a user with the roles elasticspl_adhoc and elasticspl_user will be able to load and run saved queries but not create or update them. In addition, the user will be able to edit the loaded fields and run the query as an ad-hoc query.

Using the Workbench

If the query leads to any errors they are shown between the Query Post Processing and Query Results sections. All info messages are available by clicking the info button on the right side of the results section.

Info Messages

Error Messages

Creating a Saved Query

To create a new saved query, the user must have the role elasticspl_power assigned.

Visit the Workbench page by clicking on the Workbench link in the navigation bar.
Ensure that the Query Dropdown is set to Select a Query.
Provide input in the search bar used for the WHERE portion of the S3 Select SQL.
Click on Query Options to extend the collapsible and get access to the additional options.
Provide inputs to the Query Options section. For more information about the options, please refer to the Query documentation.
Click the Save button to open the Add Query modal.
Add a name, description and the required information on the permission slider and click the Save button to save the query. If the button is disabled, some input is missing or invalid.

info

Feel free to test your query by selecting an instance and clicking the magnifying lens button. This will execute the query and display the results. If the query is invalid, an error will be shown in the results section.

Click to see a screenshot of the `Save` button on the Workbench page.

Query Add

Running an Ad-Hoc Query

To run an ad-hoc query, the user must have the role elasticspl_adhoc assigned.

Executing an ad-hoc query is similar to creating a new query. The only difference is that the query is not saved, only run. To run an ad-hoc query, follow steps 1-5 described in the section Creating a Saved Query and complete the following steps:

Select on which instance the query should be executed in the Instance dropdown.
Click the magnifying lens button to execute the query. If the button is disabled, some input is missing or invalid.
The results will be displayed in the results section. If the query is invalid, an error will be shown in the results section. Make sure to check if there are any errors or warnings shown in the top right corner of the results section.

In addition to an event-based query, you can add a post-processing SPL search by clicking on Query Post Processing and providing a transforming SPL search. The results of the event-based query will be available in the Events tab, and results of the post-processing SPL search will be available in the Table tab and can be visualized using the Visualisation tab.

Click to see a screenshot of the `Query Post Processing` section including visualization as a pie chart.

Query Post Processing

Running a Saved Query

To load and run a saved query, the user must have the role elasticspl_user assigned.

Visit the Workbench page by clicking on the Workbench link in the navigation bar.
Select the query you want to run in the Query dropdown.
Select on which instance the query should be executed in the Instance dropdown.
Click the magnifying lens button to execute the query. If the button is disabled, some input is missing or invalid.
The results will be displayed in the results section.

If the current user has the role elasticspl_adhoc assigned, the input fields are enabled and the user can run a modified version of the query as an ad-hoc query. The modified query will not be saved.

Updating a Saved Query

To load and update a saved query, the user must have the role elasticspl_power assigned and must be a member of one of the query's writing groups.

Updating a saved query is similar to running a saved query. The only difference is that the query is not executed, only loaded. To update a saved query, follow steps 1-4 described in the section Running a Saved Query and complete the following steps:

Edit any of the input fields in the sidebar.
If you want to update the query, click the Update button to open the Update Query modal.
Click the Update button to save the query. If the button is disabled, some input is missing or invalid.

Click to see a screenshot of the `Update` button on the Workbench page.

Query Update

Requirements and Restrictions​

Using the Workbench​

Creating a Saved Query​

Running an Ad-Hoc Query​

Running a Saved Query​

Updating a Saved Query​