I'm very new to ELK, but learning. Maybe someone else has done this?
I have a set of records in per-day indices which include a timestamp, and a
hostname (along with many
other fields). Any given hostname (eg: www.facebook.com) may appear many
times,
My goal is to create a report of the earliest appearance of each hostname,
and further pull out
a list each day of sites 'not seen before this day'.
I can get a JSON output for the host names (embedded in some JSON cruft}
with
{
"aggs": {
"hosts": {
"terms": {
"field": "hostname",
"size": 0
}
}
}
}
Problem 1: hostnames with embedded dashes fail - one of the strings
delimited by dashes appears instead,
so 'very-long-host-name.site.com' might get listed as just 'long'.
Problem 2:
I'm at a bit of a loss as to how to proceed from there.
Ideally, I'd like to be able to report the first appearance of any host, as
well as any new in the last day or other
time period
Thanks in advance...
pt
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/0db536b2-9df7-4366-8f46-d42ff95cf742%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.