json - Need to extract the timestamp from a logstash elasticsearch cluster -
i'm trying determine freshness of recent record in logstash cluster, i'm having bit of trouble digesting elasticsearch dsl.
right doing extract timestamp: curl -sx 'http://localhost:9200/logstash-2015.06.02/' -d'{"query": {"match_all": {} } }' | json_pp | grep timestamp
which gets me; "@timestamp" : "2015-06-02t00:00:28.371+00:00",
i'd use elasticsearch query directly no grep hackiness.
the raw json (snipped length) looks this:
{ "took" : 115, "timed_out" : false, "hits" : { "hits" : [ { "_index" : "logstash-2015.06.02", "_source" : { "type" : "syslog", "@timestamp" : "2015-06-02t00:00:28.371+00:00", "tags" : [ "sys", "inf" ], "message" : " 2015/06/02 00:00:28 [info] serf: eventmemberjoin: generichost.example.com 10.1.1.10", "file" : "/var/log/consul.log", "@version" : 1, "host" : "generichost.example.com" }, "_id" : "au4xcf51cxori9nl1hro", "_score" : 1, "_type" : "syslog" }, ], "total" : 8605141, "max_score" : 1 }, "_shards" : { "total" : 50, "successful" : 50, "failed" : 0 } } any appreciated. know query simple, don't know is.
you don't need use dsl this. can cram url query string, this:
curl -s xget 'localhost:9200/logstash-2015.06.02/_search?_source=@timestamp&size=1&sort=@timestamp:desc&format=yaml' so:
_source=@timestampmeans we're interested in getting@timestampvaluesize=1means need 1 resultsort=@timestamp:descmeans want sort on@timestampdescending (i.e. latest first)format=yamlresult in yaml format bit more concise json in case
the output this:
- _index: "logstash-2015.06.02" _type: "syslog" _id: "au4xcf51cxori9nl1hro" _score: 1.0 _source: @timestamp: "2015-06-02t00:00:28.371+00:00" you don't need json_pp anymore, can still grep @timestamp data need.
note in 1.6.0, there way filter out metadata (i.e. _index, _type, _id, _score) , _source search result using filter_path parameter in url.
Comments
Post a Comment