ElasticsearchΒΆ

SpectX supports reading data directly from Elasticsearch database using ES command:

ES '('   uri::STRING
            , index::STRING
           [, credentials '{' type::STRING, ... '}' ]
           [,_insecure_tls::BOOLEAN]
           [,_tasks_per_shard:INTEGER]
        ')'

where:

  • uri - ElasticSearch endpoint root uri.

  • index - index(es) to read from. Comma separated (no whitespaces), wildcards allowed.

  • _geopoint_equality_threshold - distance limit for two geopoints to be considered equal, default 1km. Optional.

  • _insecure_tls - whether to skip server certificate chain & host validation, default false. Optional.

  • _tasks_per_shard - specifies how many retrieval tasks to create per replica of each shard of an index, default 1. Optional.

  • credentials - authentication attributes for different schemes:

    • credentials:{type:'basic', user::STRING, password::STRING}
    • credentials:{type:'xpack', user::STRING, password::STRING}
    • credentials:{type:'token', token::STRING} - OAuth2 Bearer token obtained via Get token API
    • credentials:{type:'aws', accessKeyId::STRING, secretKey::STRING, region::STRING} - AWS IAM user credentials for using Elasticsearch Service
    • credentials:{type:'ec2'} - use when accessing AWS Elasticsearch Service from AWS EC2 role (credentials are retrieved from instance metadata)

When Elasticsearch is configured to accept anonymous commands then credentials can be omitted.

Example 1. Query from Elasticsearch instance running on localhost in anonymous mode, from index apache containing entries of Apache web server access log:

@src = ES(
    uri: "http://127.0.0.1:9200"
    ,index: "apache"
);

@src
 .select(timestamp, ip, uri, verb, response, bytes, referrer);