Elasticsearch

Cast supports two flavors of Elasticsearch queries, Lucene/string style queries (like Kibana) and the more elaborate JSON based queries. For the first one create a data source of type Kibana and for the later create data source of type Elasticsearch.

String query example:

  • Query the index named “facebook”
  • Filter by “user:dave”
  • Return the fields: “@timestamp”, “post” and “user”
  • Return up to 30 results
  • Sort by @timestamp ascending
{
  "index": "facebook",
  "query": "user:dave",
  "fields": ["@timestamp", "post", "user"],
  "limit": 30,
  "sort": "@timestamp:asc"
}

Simple query on a logstash Elasticsearch instance:

  • Query the index named “logstash-2015.04.* (in this case its all of April 2015)
  • Filter by type:events AND eventName:Cast AND channel:castapp
  • Return fields: “@timestamp”, “userId”, “channel”, “utmsource”, “utmmedium”, “utmcampaign”,
  • Return up to 150 results
  • Sort by @timestamp ascending
{
  "index": "logstash-2015.04.*",
  "query": "type:events AND eventName:Cast AND channel:castapp",
  "fields": [
    "@timestamp",
    "userId",
    "channel",
    "utm_source",
    "utm_medium",
    "utm_campaign",
  ],
  "limit": 150,
  "sort": "@timestamp:asc"
}

JSON document query on a ElasticSearch instance:

  • Query the index named “facebook”
  • Filter by user equal “dave”
  • Return the fields: “@timestamp”, “post” and “user”
  • Return up to 15 results
  • Sort by @timestamp ascending
{
  "index": "facebook",
  "query": {
    "match": {
      "user": "dave"
    }
  },
  "fields": ["@timestamp", "post", "user"],
  "limit": 15,
  "sort": "@timestamp:asc"
}

A note on authentication

Cast has two Data Sources available for Elasticsearch. You need to use the Amazon Elasticsearch service source if you’re using IAM based authentication. Otherwise, use the standard data source.