CODEWITHSUNDEEP
pythonelasticsearchlogstashkibana
Munai Das Udasin
Munai Das Udasin

Reputation: 526

Obtaining an elasticsearch query from Kibana

I want to convert the following kibbana elasticsearch query for a query in the elasticsearch.count(index=indices, body=query).

Goal is to get a count for given timestamp(last 24 hours), cluster and integer_field > 0.

The query being (obtained from Kibana)

curl -XGET 'some-url:9200/logstash-2015.07.03,logstash-2015.07.02/_search?pretty' -d '{
  "facets": {
    "0": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "10m"
      },
      "global": true,
      "facet_filter": {
        "fquery": {
          "query": {
            "filtered": {
              "query": {
                "query_string": {
                  "query": "*"
                }
              },
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "from": 1435840604940,
                          "to": 1435927004940
                        }
                      }
                    },
                    {
                      "fquery": {
                        "query": {
                          "query_string": {
                            "query": "integer_field:(>0)"
                          }
                        },
                        "_cache": true
                      }
                    },
                    {
                      "fquery": {
                        "query": {
                          "query_string": {
                            "query": "cluster:(\"YYY\")"
                          }
                        },
                        "_cache": true
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  },
  "size": 0
}'

I have written queries for other cases. It is only this case , where I am stuck. Help will be really appreciated.

Upvotes: 1

Views: 3313

Answers (1)

pickypg
pickypg

Reputation: 22332

The query that you are looking for is simpler than the one that Kibana is forced to autogenerate. Generally speaking, when pulling them from Kibana, you want to look for the "filtered" query portion. From there, you can remove wildcard conditions.

{
  "query": {
    "filtered": {
      "filter": {
        "bool" : {
          "must" : [
            {
              "term" : {
                "cluster" : "YYYY"
              }
            },
            {
              "range" : {
                "integer_field" : {
                  "gt" : 0
                }
              }
            },
            {
              "range" : {
                "@timestamp" : {
                  "gt" : "now - 24h"
                }
              }
            }
          ]
        }
      }
    }
  }
}

The "cluster" term filter is the only one that is possibly not "valid" for your use. term filters are exact matches for the indexed values, so if it's not literally "YYYY" (e.g., "yyyy"), then it won't match. It's possible that you want the { "term": { ... } } to be:

{
  "fquery" : {
    "query" : {
      "match" : {
        "cluster" : "YYYY"
      }
    }
  }
}

Upvotes: 1

Related Questions