Logstash fields from aggregation to csv

ddcro · June 4, 2022, 7:39am

Hi guys,

I'm trying to export data from elastic to csv. The conf from logstash is something like:

input {
   elasticsearch {
           hosts => "127.0.0.1:9200"
           index => "log"
           ...
          query => '
            {
             "size":0,
              "query": {
                     "bool": {
                         "filter": [
                           { "term": {"country.keyword": "NZ"}}
                           ]
                 }
            },
           "aggs": {
               "byhostname": {
                     "terms": {      "field": "hostname.keyword"                  }
              }
              }
  }'
}
}

output {
  csv {
     fields => ["key"]    <==????????
     path => "/blabla/some.csv"
  }
}

The result from the query is something like:

.....
"aggregations" : {
    "byhostname" : {
      "doc_count_error_upper_bound" : 111,
      "sum_other_doc_count" : 301002,
      "buckets" : [
        {
          "key" : "site1",
          "doc_count" : 1335
        },
        {
          "key" : "site2",
          "doc_count" : 852
        }
       ................

I want to output to csv the aggregated values from buckets->"key" (site1, site2) but it doesn't seem to work. I can access the fields from the documents just fine. How shall I specify the field in the output csv section of the logstash?

Thank you

Tomo_M · June 4, 2022, 3:22pm

Elasticsearch input plugin is working just for the query and the aggs part may have no meaning.

It is an open issue.

github.com/logstash-plugins/logstash-input-elasticsearch

Support Aggregations

opened 01:41PM - 22 Feb 17 UTC

PhaedrusTheGreek

status:needs-triage int-shortlist

Not sure if this would be better supported by a totally different plugin, but I …think it would make sense to support aggregation results. As an example, say we wanted to use a sum aggregation, by terms. ``` GET myserverlogs*/_search { "size": 0, "aggs": { "types": { "terms": { "field": "hostname" }, "aggs": { "connections": { "sum": { "field": "connections" } } } } } } ``` Results: ``` "aggregations": { "types": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key": "hostA", "doc_count": 90310, "total_connections": { "value": 2344 } }, { "key": "hostB", "doc_count": 485, "total_connections": { "value": 233 } }, { "key": "hostC", "doc_count": 485, "total_connections": { "value": 123 } } ] } } ``` Then in Logstash we could say something like: ``` input { elasticsearch { ... results_mode => "aggregation" source_array => "types.buckets" } } ``` This could even be used to create aggregation based summary indices on a regular interval. I remember @polyfractal was working on an ES plugin that did something similar last year.

One possible option is using Transform in Elasticsearch to store the aggregation data into another index and use Elasticsearch input plugin on that index to retrieve the result of aggregation.

ddcro · June 6, 2022, 7:02am

Thank you for your response. I will try to see if I can make a transform or maybe export the data with a python script.

system · July 4, 2022, 7:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.