Hello, i try to get unique agent hostnames, grouped with its logfile paths (i have Filebeat agents with system.yml configuration). Here is a query:
curl -u myUser:myPassword-X GET "myELKhostname:9237/filebeat*/_search?pretty" -H 'Content- Type: application/json' -d ' {
"size": 0,
"aggs": {
"logSummary": {
"composite": {
"sources": [
{ "agentHost": { "terms": { "field": "host.name.keyword" } } },
{ "logPath": { "terms": { "field": "log.file.path.keyword" } } }
]
}
}
}
}
'
Here a output:
{
"took" : 1142,
"timed_out" : false,
"_shards" : {
"total" : 2,
"successful" : 2,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"logSummary" : {
"after_key" : {
"agentHost" : "2250827ea151",
"logPath" : "/var/log/dpkg.log"
},
"buckets" : [
{
"key" : {
"agentHost" : "084c64f1ad0e",
"logPath" : "/var/log/alternatives.log"
},
"doc_count" : 97
},
{
"key" : {
"agentHost" : "084c64f1ad0e",
"logPath" : "/var/log/bootstrap.log"
},
"doc_count" : 1322
},
{
"key" : {
"agentHost" : "084c64f1ad0e",
"logPath" : "/var/log/cloud-init-output.log"
},
"doc_count" : 105
},
{
"key" : {
"agentHost" : "084c64f1ad0e",
"logPath" : "/var/log/cloud-init.log"
},
"doc_count" : 553
},
{
"key" : {
"agentHost" : "084c64f1ad0e",
"logPath" : "/var/log/dpkg.log"
},
"doc_count" : 5057
},
{
"key" : {
"agentHost" : "2250827ea151",
"logPath" : "/var/log/alternatives.log"
},
"doc_count" : 104
},
{
"key" : {
"agentHost" : "2250827ea151",
"logPath" : "/var/log/bootstrap.log"
},
"doc_count" : 1293
},
{
"key" : {
"agentHost" : "2250827ea151",
"logPath" : "/var/log/cloud-init-output.log"
},
"doc_count" : 103
},
{
"key" : {
"agentHost" : "2250827ea151",
"logPath" : "/var/log/cloud-init.log"
},
"doc_count" : 553
},
{
"key" : {
"agentHost" : "2250827ea151",
"logPath" : "/var/log/dpkg.log"
},
"doc_count" : 5667
}
]
}
}
}
As you can see, the agentHost aggregation property have a hash, not hostname. Why?