Querying Logstash Data in Elasticsearch Using Curl and JQ - Backdrift Backdrift

Querying Logstash Data in Elasticsearch Using Curl and JQ

Today I came across the need to query logstash logs directly from elasticsearch. Here is a quick example of how to do so using curl and jq.

logstash-server:~$ cat search.sh
curl -XGET 'localhost:9200/_search?pretty&amp;size=10000' -d '
{
    "query": {
        "query_string" : {
            "query" : "facility:19,local3 AND @timestamp:[2019-08-04T03:00 TO 2019-08-04T03:15]"
        }
    },
    "sort": ["@timestamp"]
} '

logstash-server:~$ bash search.sh | jq '.hits.hits[]._source | {timestamp,host,level,message}' | head -20