Usage

ElasticSPL allows for dynamic definition of time ranges and token replacements in DSL and Lucene queries. This is done for both elasticadhoc and elasticquery. To test on how a query is parsed the command elasticparse can be used.

ElasticSPL attempts to extract the queried indexes if provided and adapts the API endpoint to only search the given indexes.

Time Range

To query logs in Elasticsearch in a similar fashion as in Splunk the timerange picker from Splunk searches can be used to add time constraints to DSL queries. This is available for queries regardless of whether the query already contains time constraints. To enable dynamic time range parsing the query has to be run with timestamp_used set to True and timestamp_field provided.

DSL

Existing Timestamp

If a DSL query already includes the key defined as timestamp_field the values $earliest$ and $latest$ are replaced with the earliest and latest time of the current Splunk search

Original	Parsed
{ "query":{ "bool":{ "must":{ "match":{ "index":"kibana_sample_data_logs" } }, "filter":{ "range":{ "timestamp":{ "gte":"$earliest$", "lte":"$latest$" } } } } } }	{ "query":{ "query":{ "bool":{ "must":{ "match":{ "index":"kibana_sample_data_logs" } }, "filter":{ "range":{ "timestamp":{ "gte":1665057600000, "lte":1665146463000, "format":"epoch_millis" } } } } } }, "indexes":[ "kibana_sample_data_logs" ] }

Existing Match

If a DSL query already contains a bool expression an additional filter is added that filters events to the defined timerange

Original	Parsed
{ "query":{ "bool":{ "must":{ "match":{ "index":"kibana_sample_data_logs" } } } } }	{ "query":{ "query":{ "bool":{ "filter":[ { "bool":{ "must":{ "match":{ "index":"kibana_sample_data_logs" } } } }, { "range":{ "timestamp":{ "gte":1665057600000, "lte":1665146548000, "format":"epoch_millis" } } } ] } } }, "indexes":[ "kibana_sample_data_logs" ] }

Existing Filter

If a filter expression is found in the query an additional range constraint for the timestamp is added

Original	Parsed
{ "query":{ "bool":{ "filter":[ { "range":{ "bytes":{ "gte":10, "lte":20000000000000 } } } ] } } }	{ "query":{ "query":{ "bool":{ "filter":[ { "range":{ "bytes":{ "gte":10, "lte":20000000000000 } } }, { "range":{ "timestamp":{ "gte":1665057600000, "lte":1665146626000, "format":"epoch_millis" } } } ] } } }, "indexes":[ ] }

No Must nor Filter

If the DSL query does not contain a must nor filter the entire existing query is taken and places within a filter expression. Additionally a range expression for the timestamp is added.

Original	Parsed
{ "query":{ "match":{ "index": "kibana_sample_data_logs" } } }	{ "query":{ "query":{ "bool":{ "filter":[ { "match":{ "index":"kibana_sample_data_logs" } }, { "range":{ "timestamp":{ "gte":1665057600000, "lte":1665146692000, "format":"epoch_millis" } } } ] } } }, "indexes":[ "kibana_sample_data_logs" ] }

Must and Filter

In case of both must and filter a range expression is added to filter

Original	Parsed
{ "query":{ "bool":{ "must":{ "match":{ "index":"kibana_sample_data_logs" } }, "filter":{ "range":{ "bytes":{ "gte":10, "lte":20000000000000 } } } } } }	{ "query":{ "query":{ "bool":{ "must":{ "match":{ "index":"kibana_sample_data_logs" } }, "filter":[ { "range":{ "bytes":{ "gte":10, "lte":20000000000000 } } }, { "range":{ "timestamp":{ "gte":1665057600000, "lte":1665146779000, "format":"epoch_millis" } } } ] } } }, "indexes":[ "kibana_sample_data_logs" ] }

Lucene

Existing Timestamp

If a Lucene query already includes the key defined as timestamp_field the values $earliest$ and $latest$ are replaced with the earliest and latest time of the current Splunk search

Original	Parsed
index:kibana_sample_data_logs AND timestamp:[$earliest$ TO $latest$]	{ "query":"index:kibana_sample_data_logs AND timestamp:[2022-10-06T12:00:00Z TO 2022-10-07T12:53:45Z]", "indexes":[ "kibana_sample_data_logs" ] }

No Existing Timestamp

If a Lucene query does not contain $earliest$ and $latest$ a statement is added to the query

Original	Parsed
index:kibana_sample_data_logs	{ "query":"index:kibana_sample_data_logs AND timestamp:[2022-10-06T12:00:00Z TO 2022-10-07T12:53:45Z]", "indexes":[ "kibana_sample_data_logs" ] }

ES|QL

Existing Timestamp

If an ES|QL query already includes the key defined as timestamp_field the values $earliest$ and $latest$ are replaced with the earliest and latest time of the current Splunk search

Original	Parsed
FROM palo | WHERE @timestamp > $earliest$ AND @timestamp < $latest$'	FROM palo | WHERE @timestamp > "2024-09-04T08:48:00Z" AND @timestamp < "2024-09-04T09:03:32Z"

Replacements

Replacements can be used to utilise a single query for different cases. As example is it possible to replace a filter for a username dynamically. Values that are replaced in a DSL query have to be marked as such in surrounding the value with $. The replacements are provided in a key value format. For the given query the replacements are defined as following:

$ip$=120.49.143.213,$response$=503

DSL

Original	Parsed
{ "query":{ "bool":{ "must":[ { "match":{ "index":"kibana_sample_data_logs" } }, { "match":{ "ip":"$ip$" } }, { "match":{ "response":"$response$" } } ] } } }	{ "query":{ "bool":{ "must":[ { "match":{ "index":"kibana_sample_data_logs" } }, { "match":{ "ip":"120.49.143.213" } }, { "match":{ "response":"503" } } ] } } }

Lucene

Original	Parsed
index:kibana_sample_data_logs AND ip:$ip$ AND response:$response$	index:kibana_sample_data_logs AND ip:120.49.143.213 AND response:503

ES|QL

Original	Parsed
FROM palo | WHERE source_ip=="$ip$"	FROM palo | WHERE source_ip=="120.49.143.213"