elastic-bash

A quick and dirty bash script for querying Elasticsearch

Usage

./es_query.sh -l <labels> -u <uri> -n <number> -f <field>

Flags

• -l (labels): Comma delimited list of : formatted labels to query against
• -u (uri): Elasticsearch URI to query (with auth credentials, if enabled)
• -n (number): Number of results to return from query
• -f (field): The field in logged event to return (log, message, or MESSAGE)

labels

A comma delimited list of key:value formatted labels to query Elasticsearch for. These labels are typically applied by a log gathering daemon (Fluentbit, Fluentd, Filebeat, etc). They must be defined as indexed fields in your Elasticsearch index to be able to query against them.

uri

The endpoint for the Elasticsearch instance to query. If basic auth is enabled, the endpoint must include the user and password.

number

The number of results to return. By default, Elasticsearch will only return the top ten matches for a query.

field

The field that includes the log message desired. The default logstash index will place the content of the message under the log field. The systemd input plugin for Fluentbit places the content of the message under the MESSAGE field. Most other messages, including the OpenStack oslo fluentd formatter, are placed under the message field.

Examples

Query for all Elasticsearch data node logs, return 100 events

./es_query.sh -l kubernetes.labels.application.keyword:elasticsearch, \
                 kubernetes.labels.component.keyword:data \
              -u http://user:password@elasticsearch:9200 \
              -n 100
              -f log

Query for all docker logs gathered by the Fluentbit journald plugin, return 100 events

./es_query.sh -l SYSTEMD_UNIT:docker.service \
              -u http://user:password@elasticsearch:9200 \
              -n 100
              -f MESSAGE