How to build an Elasticsearch query?

O

onedmgoflthl2016-12-02 17:22:56

elasticsearch

onedmgoflthl, 2016-12-02 17:22:56

Greetings gentlemen!
There is an ELK-stack of version 5.0
Multiline events are sent from different servers to one index. One of the metrics is the state, "LaneIndic".
How to correctly construct a query in which I will pull out the last value of this state for each server?
With this request, I get the last value of LaneIndic, among all servers.

GET /logstash-test-06/log/_search?
{
   "_source": ["beat.hostname", "LaneIndic", "@timestamp"],
    "query" : {
        "match_all": {}
    },
    "size": 1,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}

But how to get the same thing, but for each unique beat.hostname value?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexey Cheremisin, 2016-12-02
@onedmgoflthl

Most likely it is necessary to do aggregation.
First aggregate by "beat.hostname" with order = "@timestamp"
Then by LaneIndic, size=1 Like
this:

{
    "aggs" : {
        "host" : {
            "terms" : {
                "field" : "beat.hostname"
            },
            "aggs" : { "size":1,
                "lane" : { "terms" : { "field" : "LaneIndic" }, "order" : { "@timestamp" : "desc" }}
            }
        }
    }
}

U

un1t, 2016-12-02
@un1t

For example:
instead of

"query" : {
    "match_all": {}
},

insert

"query" : {
    "match": {"beat.hostname": "имя сервера"}
},