Elasticsearch
Elasticsearch
Section titled “Elasticsearch”Cast supports two flavors of Elasticsearch queries, Lucene/string style queries (like Kibana) and the more elaborate JSON based queries. For the first one create a data source of type Kibana and for the later create data source of type Elasticsearch.
String query example:
Section titled “String query example:”- Query the index named “facebook”
- Filter by “user:dave”
- Return the fields: “@timestamp”, “post” and “user”
- Return up to 30 results
- Sort by @timestamp ascending
{ "index": "facebook", "query": "user:dave", "fields": ["@timestamp", "post", "user"], "limit": 30, "sort": "@timestamp:asc"}Simple query on a logstash Elasticsearch instance:
Section titled “Simple query on a logstash Elasticsearch instance:”- Query the index named “logstash-2015.04.* (in this case its all of April 2015)
- Filter by type:events AND eventName:Cast AND channel:castapp
- Return fields: “@timestamp”, “userId”, “channel”, “utmsource”, “utmmedium”, “utmcampaign”,
- Return up to 150 results
- Sort by @timestamp ascending
{ "index": "logstash-2015.04.*", "query": "type:events AND eventName:Cast AND channel:castapp", "fields": [ "@timestamp", "userId", "channel", "utm_source", "utm_medium", "utm_campaign", ], "limit": 150, "sort": "@timestamp:asc"}JSON document query on a ElasticSearch instance:
Section titled “JSON document query on a ElasticSearch instance:”- Query the index named “facebook”
- Filter by user equal “dave”
- Return the fields: “@timestamp”, “post” and “user”
- Return up to 15 results
- Sort by @timestamp ascending
{ "index": "facebook", "query": { "match": { "user": "dave" } }, "fields": ["@timestamp", "post", "user"], "limit": 15, "sort": "@timestamp:asc"}A note on authentication
Section titled “A note on authentication”Cast has two Data Sources available for Elasticsearch. You need to use the Amazon Elasticsearch service source if you’re using IAM based authentication. Otherwise, use the standard data source.