Parse Kibana Query to sql object

Elastic Stack Kibana
1

Hi everyone, I'm trying to monitor logs from Elasticsearch in python
My problem is that each log has a different structure.
For example: "error" and applicationName :"test"

"query" will be like this: {
     "bool": {
       "must": [],
       "filter": [
         {
           "bool": {
             "filter": [
               {
                 "multi_match": {
                   "type": "phrase",
                   "query": "error",
                   "lenient": true
                 }
               },
               {
                 "bool": {
                   "should": [
                     {
                       "match_phrase": {
                         "applicationName": "test"
                       }
                     }
                   ],
                   "minimum_should_match": 1
                 }
               }
             ]
           }
         },
         {
           "range": {
             "time": {
               "format": "strict_date_optional_time",
               "gte": "2024-01-03T16:02:59.121Z",
               "lte": "2024-01-03T16:17:59.121Z"
             }
           }
         }
       ],
       "should": [],
       "must_not": []
     }
   },

And on the other hand a query like : "error" or applicationName: "test"
It will be like this

"query": {
     "bool": {
       "must": [],
       "filter": [
         {
           "bool": {
             "should": [
               {
                 "multi_match": {
                   "type": "phrase",
                   "query": "error",
                   "lenient": true
                 }
               },
               {
                 "bool": {
                   "should": [
                     {
                       "match_phrase": {
                         "applicationName": "test"
                       }
                     }
                   ],
                   "minimum_should_match": 1
                 }
               }
             ],
             "minimum_should_match": 1
           }
         },
         {
           "range": {
             "time": {
               "format": "strict_date_optional_time",
               "gte": "2024-01-03T16:04:16.374Z",
               "lte": "2024-01-03T16:19:16.374Z"
             }
           }
         }
       ],
       "should": [],
       "must_not": []
     }
   },

I can have several different types of queries, and it is not normal to build the object according to each type of query.
Does anyone know a better way?

2

It's not really clear what you're trying to accomplish. Could you provide a more concrete example? Are you trying to create one query that you can use for both types of logs?

In Kibana, have you considered separate data views for each log type? Or, if they're in the same indices, first creating a filter for each log type?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.