Logstash fields from aggregation to csv

ddcro · June 4, 2022, 7:39am

Hi guys,

I'm trying to export data from elastic to csv. The conf from logstash is something like:

input {
   elasticsearch {
           hosts => "127.0.0.1:9200"
           index => "log"
           ...
          query => '
            {
             "size":0,
              "query": {
                     "bool": {
                         "filter": [
                           { "term": {"country.keyword": "NZ"}}
                           ]
                 }
            },
           "aggs": {
               "byhostname": {
                     "terms": {      "field": "hostname.keyword"                  }
              }
              }
  }'
}
}

output {
  csv {
     fields => ["key"]    <==????????
     path => "/blabla/some.csv"
  }
}

The result from the query is something like:

.....
"aggregations" : {
    "byhostname" : {
      "doc_count_error_upper_bound" : 111,
      "sum_other_doc_count" : 301002,
      "buckets" : [
        {
          "key" : "site1",
          "doc_count" : 1335
        },
        {
          "key" : "site2",
          "doc_count" : 852
        }
       ................

I want to output to csv the aggregated values from buckets->"key" (site1, site2) but it doesn't seem to work. I can access the fields from the documents just fine. How shall I specify the field in the output csv section of the logstash?

Thank you

Tomo_M · June 4, 2022, 3:22pm

Elasticsearch input plugin is working just for the query and the aggs part may have no meaning.

It is an open issue.

github.com/logstash-plugins/logstash-input-elasticsearch

Support Aggregations

opened 01:41PM - 22 Feb 17 UTC

PhaedrusTheGreek

status:needs-triage int-shortlist

Not sure if this would be better supported by a totally different plugin, but I …think it would make sense to support aggregation results. As an example, say we wanted to use a sum aggregation, by terms. ``` GET myserverlogs*/_search { "size": 0, "aggs": { "types": { "terms": { "field": "hostname" }, "aggs": { "connections": { "sum": { "field": "connections" } } } } } } ``` Results: ``` "aggregations": { "types": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key": "hostA", "doc_count": 90310, "total_connections": { "value": 2344 } }, { "key": "hostB", "doc_count": 485, "total_connections": { "value": 233 } }, { "key": "hostC", "doc_count": 485, "total_connections": { "value": 123 } } ] } } ``` Then in Logstash we could say something like: ``` input { elasticsearch { ... results_mode => "aggregation" source_array => "types.buckets" } } ``` This could even be used to create aggregation based summary indices on a regular interval. I remember @polyfractal was working on an ES plugin that did something similar last year.

One possible option is using Transform in Elasticsearch to store the aggregation data into another index and use Elasticsearch input plugin on that index to retrieve the result of aggregation.

ddcro · June 6, 2022, 7:02am

Thank you for your response. I will try to see if I can make a transform or maybe export the data with a python script.

Topic		Replies	Views
How to get the aggregation value into a field in CSV in logstash configuration file? Elasticsearch	1	393	March 31, 2022
Aggregations in logstash Logstash	4	1159	July 6, 2017
ES Aggregation as Logstash Input Logstash	1	3033	December 6, 2017
Exporting aggregated data out of ES Logstash	5	1046	June 13, 2017
Using logstash to get data out of elasticsearch to a csv file Logstash	3	3981	July 6, 2017

Logstash fields from aggregation to csv

Related topics