I have log data coming in via winlogbeat and syslog. I Can create a visualization in Kibana that will show me a list of systems that are sending data to elasticsearch based on the received log data.
Because of the large number of computers (+-1000), I would like to setup a visualization that will show computers that are not sending data to elasticsearch based on a list of computer names I would provide.
I was not able to find a way to do this in Kibana. If there is, that would be nice. My second option was to write a script that queries elasticsearch based on a computer name list and sends the computer names that are missing back via syslog -> logstash ->elasticsearch.
What is the correct way to query an index based on "today" for a particular value in a field (computer_name) and stopping at the first match?
This is what I have so far (This will end up being in a curl command in my script):
GET logstash-linux-*/_search
{
"query": {
"bool": {
"should": {
"match": {
"computer_name": "elk"
}
},
"filter": {
"range": {
"@timestamp": {
"gte": "now/d"
}
}
}
}
},
"size": 1
}
So in the above example, I get a result back whether the computer name exists or not. The only thing that changes is the score (from 0 to something weird like 0.0010758473). Is this how it is supposed to work? Based on this, am I to assume that if the score is anything but zero then it found the computer name in the index and all scores of zeros mean it did not find the computer name in the index?
Ideally it would be nice (if possible) to search for all computer names at once in the query and it report back the missing ones. Otherwise, with something similar to above, I'd have to loop through a list of computer names in my script which would result in +-1000 queries.