Is there a API which can get all beat.hostname in an index?

KeithTt · June 30, 2022, 1:53am

Or some other way...

warkolm · June 30, 2022, 5:27am

You can make an Elasticsearch query to get it. From Terms aggregation | Elasticsearch Guide [8.3] | Elastic;

curl -X GET "localhost:9200/INDEXNAME/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "aggs": {
    "hosts": {
      "terms": { "field": "beat.hostname" }
    }
  }
}
'

KeithTt · June 30, 2022, 6:30am

I tried this, but returned 400 status:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
      }
    ],
    "type" : "search_phase_execution_exception",
    "reason" : "all shards failed",
    "phase" : "query",
    "grouped" : true,
    "failed_shards" : [
      {
        "shard" : 0,
        "index" : "logstash-nginx-log-whv3-2022.06.28",
        "node" : "3Fai_tbWTHS7_XRHJX5JDA",
        "reason" : {
          "type" : "illegal_argument_exception",
          "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
        }
      }
    ],
    "caused_by" : {
      "type" : "illegal_argument_exception",
      "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.",
      "caused_by" : {
        "type" : "illegal_argument_exception",
        "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
      }
    }
  },
  "status" : 400
}

warkolm · June 30, 2022, 7:02am

What version are you on?

KeithTt · June 30, 2022, 7:06am

6.3.0

warkolm · June 30, 2022, 7:08am

Yikes, that's very old and definitely past EOL. You need to look at upgrading as a matter of urgency, as 6.X is no longer supported, and 8.2 is latest.

Try changing the field to beat.hostname.keyword.

KeithTt · June 30, 2022, 7:23am

Thanks, it returned success.

But it only return 10 records, and only 2 beatnames are different. We have more than 20 beats in one index... How to get all of the beatname...

warkolm · June 30, 2022, 7:31am

You asked for the hostname though?

KeithTt · June 30, 2022, 7:38am

Yes.. I am sorry, it seems I am not being clear.

KeithTt · June 30, 2022, 5:13pm

I have found the solution.

Also thanks a lot for you time.

system · July 28, 2022, 5:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.