elk python apiテスト
2342 ワード
import datetime
from elasticsearch import Elasticsearch
# :2016.7.19
yesterday = (datetime.datetime.now() + datetime.timedelta(days = -1)).strftime("%Y.%m.%d")
# :2016-7-19
filter_yesterday = (datetime.datetime.now() + datetime.timedelta(days = -1)).strftime("%Y-%m-%d")
# :2016.7.18
before_yesterday = (datetime.datetime.now() + datetime.timedelta(days = -2)).strftime("%Y.%m.%d")
# elasticsearch url
url = "http://192.168.1.41:9200/"
# , ,
index_name = "logstash-apache-www.linuxyw.com-{date},logstash-apache-www.linuxyw.com-{b_date}".format(date=yesterday,b_date=before_yesterday)
# Elasticsearch , 120 , 10 , ,
es = Elasticsearch(url,timeout=120)
# DSL , es.search
data = {
"size": 10000000, # ,
"query" : {
"bool":{
# ,
"must" : {"match_all":{}},
# , , 0 24 , ||-8h, ELK UTC , 8 , 8 ,
"filter" : {
"range" : { "@timestamp" : {
"gt" : "{date}T00:00:00||-8h".format(date=filter_yesterday),
"lt" : "{date}T23:59:59||-8h".format(date=filter_yesterday),
}
}
}
}
}
}
# , , , ( , )
return_fields = [
'_scroll_id',
'hits.hits._source.timestamp',
'hits.hits._source.@timestamp',
'hits.hits._source.clientip',
'hits.hits._source.request',
]
def main():
# search_type="scan" , _scroll_id es.scroll
res = es.search(
index=index_name,
body=data,
search_type="scan",
scroll="1m"
)
scrollId=res["_scroll_id"] # scrollID
response= es.scroll(scroll_id=scrollId, scroll= "1m",filter_path=return_fields,)
print len(response['hits']['hits']) #
# for hit in response['hits']['hits']:
# print hit['_source']
if __name__ == "__main__":
main()