I am using the below query to pull the information from logstash::
curl -XGET '<a href="http://logs:xx00//_all/_search?pretty=true' -d '
{
"query": {
"bool": {
"must": [
{
"match": {
"_type": "pre"
}
},
{
"match": {
"message": "MapDone"
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m"
}
}
}
]
}
} }'
Output ::
{ "took" : 177, "timed_out" : false, "_shards" : { "total" : 3225, "successful" : 3225, "failed" : 0 }, "hits" : { "total" : 1238, "max_score" : 4.3801584, "hits" : [ { "_index" : "fi-logstash-2015.01.21", "_type" : "fi", "_id" : "CORYzNPHnnQeu09A", "_score" : 4.3801584, "_source":{"thread_name":"main","message":"[MapDone]\tstandards.po.poRsxWrite in 169ms","@timestamp":"2015-01-21T14:48:59.835+00:00","level":"INFO","mdc":{},"file":"fi-1-small-log.json","class":"fi.log.MapLogHandler","line_number":"21","logger_name":"fi.Mapper","method":"info","@version":1,"source_host":"fi.pp","host":"prefi2","offset":"185244882","type":"prefi","tags":["instance"],"syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"} }
The above is only a part of the output.I am trying to get only the map name as output. When I am trying , I am getting errors.
Different sample Maps:: formats.pure.qm.fromSIP.toCSV.write in 24ms H044Grain.hub.asn.from.advanceShipNoticeWrite in 188ms H9B1honey.hub.po.fromFEDSto.purchaseOrder in 416ms HAEPrugs.hub.rsx.v7.r0.po.poFedsWrite in 231ms H4Grain2.hub.in.fromtoAPP.invoiceWrite in 110ms H2Home.v700.e4060.co.in.inFedsWrite in 108ms
I am tring to get::
1 - only mapping names ( H4Grain2.hub.in.from.invoiceWrite )
2 - unique mappings ( something like | uniq to previous o/p )
3 - Average of last 1 minutes mappings
Can anybody help check if this is possible. Thanks a ton in advance.