Parse Kibana Query to sql object

Ofir_Safin · January 3, 2024, 4:51pm

Hi everyone, I'm trying to monitor logs from Elasticsearch in python
My problem is that each log has a different structure.
For example: "error" and applicationName :"test"

"query" will be like this: {
     "bool": {
       "must": [],
       "filter": [
         {
           "bool": {
             "filter": [
               {
                 "multi_match": {
                   "type": "phrase",
                   "query": "error",
                   "lenient": true
                 }
               },
               {
                 "bool": {
                   "should": [
                     {
                       "match_phrase": {
                         "applicationName": "test"
                       }
                     }
                   ],
                   "minimum_should_match": 1
                 }
               }
             ]
           }
         },
         {
           "range": {
             "time": {
               "format": "strict_date_optional_time",
               "gte": "2024-01-03T16:02:59.121Z",
               "lte": "2024-01-03T16:17:59.121Z"
             }
           }
         }
       ],
       "should": [],
       "must_not": []
     }
   },

And on the other hand a query like : "error" or applicationName: "test"
It will be like this

"query": {
     "bool": {
       "must": [],
       "filter": [
         {
           "bool": {
             "should": [
               {
                 "multi_match": {
                   "type": "phrase",
                   "query": "error",
                   "lenient": true
                 }
               },
               {
                 "bool": {
                   "should": [
                     {
                       "match_phrase": {
                         "applicationName": "test"
                       }
                     }
                   ],
                   "minimum_should_match": 1
                 }
               }
             ],
             "minimum_should_match": 1
           }
         },
         {
           "range": {
             "time": {
               "format": "strict_date_optional_time",
               "gte": "2024-01-03T16:04:16.374Z",
               "lte": "2024-01-03T16:19:16.374Z"
             }
           }
         }
       ],
       "should": [],
       "must_not": []
     }
   },

I can have several different types of queries, and it is not normal to build the object according to each type of query.
Does anyone know a better way?

lukas · January 4, 2024, 10:35pm

It's not really clear what you're trying to accomplish. Could you provide a more concrete example? Are you trying to create one query that you can use for both types of logs?

In Kibana, have you considered separate data views for each log type? Or, if they're in the same indices, first creating a filter for each log type?

system · February 1, 2024, 10:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.