cat nodes_stats.json|jq '.nodes[].indices.docs.count'|awk '{s+=$0} END {print s}'
cat nodes_stats.json|jq '.nodes[].indices.store.size_in_bytes'|awk '{s+=$0} END {print s}'
cat people.json | jq -r '.[]|"\"\(.pk)\"" + ": " + "\"\(.fields.name)\""'
Mark Walkom markwalkom
markwalkom
/ missing-fields-query.json
Created
May 18, 2016 05:13
Via Kibana, only show documents that have a missing field
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Via https://smelloworld.wordpress.com/2016/05/17/missing-fields-search-in-elasticsearch/ | |
| {“query”:{“filtered”:{“query”:{“match_all”:{}},”filter”:{“missing”:{“field”:”FIELDNAME”}}}}} |
markwalkom
/ gist:3766250c5f6b6206bafcc6c23562b3fc
Created
May 4, 2016 08:39
Logstash Grok Pattern for Windows DNS Log files - via https://discuss.elastic.co/t/windows-dns-incompatible-character-encodings/48961/5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WINDNS %{NUMBER:log_date} %{TIME:log_time} %{WORD:dns_thread_id} %{WORD:dns_context}%{SPACE}%{WORD:dns_packet_id} %{WORD:dns_ip_protocol} %{WORD:dns_direction} %{IP:dns_client_address}%{SPACE}%{WORD:dns_xid}%{SPACE}(?:Q|R|U) ?(Q|R|U)?%{SPACE}[%{GREEDYDATA:dns_hex_flags}%{SPACE}%{WORD:dns_response}]%{SPACE}%{WORD:dns_recordtype}%{SPACE}([1-9][0-9]?)%{GREEDYDATA:dns_query_name} |
markwalkom
/ Logstash all
Created
February 5, 2016 03:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ logstash-2.2.0/bin/plugin list | |
| logstash-codec-avro | |
| logstash-codec-cef | |
| logstash-codec-cloudfront | |
| logstash-codec-cloudtrail | |
| logstash-codec-collectd | |
| logstash-codec-compress_spooler | |
| logstash-codec-dots | |
| logstash-codec-edn | |
| logstash-codec-edn_lines |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| F2B_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[ ]%{HOUR}:?%{MINUTE}(?::?%{SECOND}) | |
| F2B_ACTION (\w+)\.(?:\w+)(\s+)?\: | |
| F2B_JAIL \[(?<jail>\w+\-?\w+?)\] | |
| F2B_LEVEL (?<level>\w+)\s+ |
This is an example of using ELK to parse and view collectd data.
Caveat - I haven't fully tested this mapping yet, it doesn't take into account any other fields that may be added with other collectd plugins, just the ones I have specified below.
markwalkom
/ gist:f47a30e37cd402f2dc5d
Last active
August 29, 2015 14:21
Export from ES to a json file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| elasticsearch { | |
| hosts => [ "HOSTNAME_HERE" ] | |
| port => "9200" | |
| index => "INDEXNAME_HERE" | |
| size => 500 | |
| scroll => "5m" | |
| } | |
| } | |
| output { |
markwalkom
/ logstash.conf
Last active
April 29, 2022 10:23
Reindexing Elasticsearch with Logstash 2.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| elasticsearch { | |
| hosts => [ "HOSTNAME_HERE" ] | |
| port => "9200" | |
| index => "INDEXNAME_HERE" | |
| size => 1000 | |
| scroll => "5m" | |
| docinfo => true | |
| scan => true | |
| } |
markwalkom
/ es-1.2-settings.md
Last active
August 29, 2015 14:08
— forked from jprante/es-1.2-settings.md
| Name | Description |
|---|---|
| action.allow_id_generation | - |
| action.auto_create_index | - |
| action.bulk.compress | - |
| action.destructive_requires_name | http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/_parameters.html#_parameters |
| action.disable_shutdown | http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/cluster-nodes-shutdown.html#_disable_shutdown |
| action.get.realtime | http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-get.html#realtime |
I hereby claim:
- I am markwalkom on github.
- I am markwalkom (https://keybase.io/markwalkom) on keybase.
- I have a public key whose fingerprint is 3624 D73D 1018 8785 6475 F84D 5CA5 78CB 1845 5C92
To claim this, I am signing this object: