Elasticsearch Queries

Mannu_Choudhary · June 11, 2017, 7:52am

I'm trying some scenarios using ELK. As I'm new to ELK could you guys help me out to make some queries for my below need.

Senarios:
1:- Find the no of occurrence of particular string. like ResourceManager
2:- Response time (find the time between two specific string). like between first ResourceManager to last last ResourceManager.
3:- Pattern matching (few specific line one after another).
4:- Threshold break (Like CPU > 80) - Theshold string capture.

Example log file - Logstash to Elasticsearch

2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool general - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool sysquery - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool sysdata - Memory(KB)
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool wosdata - Memory(KB)
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool tm - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool refresh - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool recovery - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool dbd - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool jvm - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool blobdata - File Handles
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool metadata - Memory(KB) - Threshold breakup > 80%
2017-03-14 12:23:43.477 unknown:0x7f3a7e [Init] Dumping out open file descriptors
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 0[[STDIN]] -> /dev/null
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 1[[STDOUT]] -> /data/disks_a/db/dbLog
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 2[[STDERR]] -> /data/disks_a/db/dbLog
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 3[Unknown] -> /proc/160845/fd
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 4[Unknown] -> /opt/vertica/log/adminTools.errors
2017-03-14 12:23:43.478 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 5[Unknown] -> /dev/null
2017-03-14 12:23:43.478 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 6[Unknown] -> /data/disks_a/db/node0001_catalog/startup.log
2017-03-14 12:23:43.478 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 7[Unknown] -> /data/disks_a/db/node0001_catalog/ErrorReport.txt

Thank you.

warkolm · June 11, 2017, 8:23am

What have you tried so far?

Mannu_Choudhary · June 12, 2017, 7:32pm

Hi Warkolm,

Here is what I've done so far - loaded file from logstash to elasticsearch

logstash-ver.conf file:-
`input {
file {
path => ["/home/release/ver2.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "varlog-%{+YYYY.MM.dd}"
document_type => "system_logs"
}
stdout { codec => rubydebug }
}
`

STEP 2:- /opt/logstash/bin/logstash -f logstash-ver.conf

Simple query - just to check out the occurrences of word 'catalog'

curl -XGET 'http://localhost:9200/verticalog-2017.06.12/log/_search?pretty' -d '{
"query": {
"function_score": {
"query": {
"filtered": {
"query": {
"bool": {
"must": {
"query_string": {
"query": "Catalog*",
"fields": [
"@version",
"host",
"message",
"path",
"tags",
"type"
]
}
},
"should": []
}
},
"filter": {
"bool": {
"must": []
}
}
}
},
"functions": []
}
},
"size": "50"
}'

warkolm · June 13, 2017, 8:28am

That grok pattern does not match the log though, you probably need a custom pattern.

Mannu_Choudhary · June 13, 2017, 11:33am

Mannu_Choudhary:

2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool general - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool sysquery - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool sysdata - Memory(KB)
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool wosdata - Memory(KB)
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool tm - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool refresh - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool recovery - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool dbd - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool jvm - Queries
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool blobdata - File Handles
2017-03-14 12:23:43.477 unknown:0x7f3a7e [ResourceManager] pool metadata - Memory(KB) - Threshold breakup > 80%
2017-03-14 12:23:43.477 unknown:0x7f3a7e [Init] Dumping out open file descriptors
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 0[[STDIN]] -> /dev/null
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 1[[STDOUT]] -> /data/disks_a/db/dbLog
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 2[[STDERR]] -> /data/disks_a/db/dbLog
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 3[Unknown] -> /proc/160845/fd
2017-03-14 12:23:43.477 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 4[Unknown] -> /opt/vertica/log/adminTools.errors
2017-03-14 12:23:43.478 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 5[Unknown] -> /dev/null
2017-03-14 12:23:43.478 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 6[Unknown] -> /data/disks_a/db/node0001_catalog/startup.log
2017-03-14 12:23:43.478 unknown:0x7f3a7e @node0001: 00000/4273: Open FD 7[Unknown] -> /data/disks_a/db/node0001_catalog/ErrorReport.txt

Could you please suggest a query to give me the below results -
ID Message ID message Log Start Time Log End Time Count
1 1 ResourceManager 2017-03-14 12:23:43 2017-03-14 12:23:43 11

Thanks.

Mannu_Choudhary · June 13, 2017, 12:22pm

 curl -XGET 'http://localhost:9200/varlog-2017.06.12/log/_count?q=message:ResourceManager'

I'm getting the count via this query but not able to pull out the other info, like log start time and log end time within the same elastic search query.

system · July 11, 2017, 12:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logging queries and response times Elasticsearch	8	1295	July 6, 2017
What are they searching for and what are they getting? Elasticsearch	6	326	July 6, 2017
Elasticsearch as Logwatch Elasticsearch	7	2056	July 6, 2017
Log for ALL elasticsearch search queries, query latency, and query hits Elasticsearch	1	436	July 6, 2017
Is there any option to log queries? Elasticsearch	3	32725	July 6, 2017

Elasticsearch Queries

Related topics