Parameters[edit | edit source]
|indexRoot||The root name of the index to hit, the format is expected to be |
|keyString||Creates groups (like tagsets) and can also filter those groups. It is the format of |
|filterString||An Elastic regexp query that can be applied to any field. It is in the same format as the keystring argument.|
|field||The field in ElasticSearch to perform the operation on. Must be a numeric field.|
|rStat||Can be one of |
|bucketDuration||The same format is an opentsdb duration, and is the size of buckets returned (i.e. counts for every 10 minutes)|
|startDuration||set the time window from now - see the OpenTSDB |
|endDuration||set the time window from now - see the OpenTSDB |
Remarks[edit | edit source]
Deprecation[edit | edit source]
The LogStash query functions are deprecated, and only for use with v1.x of ElasticSearch. If you are running v2 or above of ElasticSearch, then you should refer to the Elastic Query functions.
Caveats[edit | edit source]
- There is currently no escaping in the keystring, so if you regex needs to have a comma or double quote you are out of luck.
- The regexs in keystring are applied twice. First as a regexp filter to elastic, and then as a go regexp to the keys of the result. This is because the value could be an array and you will get groups that should be filtered. This means regex language is the intersection of the golang regex spec and the elastic regex spec. Elastic uses lucene style regex. This means regexes are always anchored (see the documentation).
- If the type of the field value in Elastic (aka the mapping) is a number then the regexes wonât act as a regex. The only thing you can do is an exact match on the number, ie âeventlogid:1234â. It is recommended that anything that is a identifier should be stored as a string since they are not numbers even if they are made up entirely of numerals.
- Alerts using this information likely want to set ignoreUnknown, since only âgroupsâ that appear in the time frame are in the results
The average value of a field over time[edit | edit source]
lsstat returns various summary stats per bucket for the specified field. The field must be numeric in elastic.
rStat can be one of
The rest of the fields behave the same as
lscount, except that there is no division based on bucketDuration (since these are summary stats)
$max_querytime_by_minute = lsstat("logstash", "", "env:prod", "querytime", "max", "1m", "1h", "")
lsstat in this queries the
logstash indexes, filters on a field
env with the value
prod, and gives the
max value of
querytime for the last hour, in one minute buckets.