Is there a API which can get all beat.hostname in an index?

Elastic Stack Elasticsearch
1

Or some other way...

2

You can make an Elasticsearch query to get it. From Terms aggregation | Elasticsearch Guide [8.3] | Elastic;

curl -X GET "localhost:9200/INDEXNAME/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "aggs": {
    "hosts": {
      "terms": { "field": "beat.hostname" }
    }
  }
}
'
1 Like
3

I tried this, but returned 400 status:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
      }
    ],
    "type" : "search_phase_execution_exception",
    "reason" : "all shards failed",
    "phase" : "query",
    "grouped" : true,
    "failed_shards" : [
      {
        "shard" : 0,
        "index" : "logstash-nginx-log-whv3-2022.06.28",
        "node" : "3Fai_tbWTHS7_XRHJX5JDA",
        "reason" : {
          "type" : "illegal_argument_exception",
          "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
        }
      }
    ],
    "caused_by" : {
      "type" : "illegal_argument_exception",
      "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.",
      "caused_by" : {
        "type" : "illegal_argument_exception",
        "reason" : "Fielddata is disabled on text fields by default. Set fielddata=true on [beat.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
      }
    }
  },
  "status" : 400
}
4

What version are you on?

5

6.3.0

6

Yikes, that's very old and definitely past EOL. You need to look at upgrading as a matter of urgency, as 6.X is no longer supported, and 8.2 is latest.

Try changing the field to beat.hostname.keyword.

7

Thanks, it returned success.

But it only return 10 records, and only 2 beatnames are different. We have more than 20 beats in one index... How to get all of the beatname...

8

You asked for the hostname though?

9

Yes.. I am sorry, it seems I am not being clear.

10

I have found the solution.

Also thanks a lot for you time.

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.