Energy Logserver, as a tool for managing large amounts of data, will always try to integrate with the largest possible amount of devices and data. We present a new solution that allows you to query Elasticsearch documents from the OP5 Monitor and Nagios level. Saved objects and documents can be used.
Thanks to this, we can obtain even more detailed data and make monitoring of IT infrastructure more consistent and readable.
What’s more, the scripts used for integration are issued under the Apache-2.0 license. We encourage you to use the hope that it will improve the quality of monitoring.
Project details and links below:
https://github.com/emca-it/check-elasticquery
https://github.com/emca-it/check-elasticquery/blob/master/check_elasticquery_6x.pl
https://github.com/emca-it/check-elasticquery/blob/master/check_elasticquery_7x.pl
This plugin check Elasticsearch query total documents. It is aimed to work with Energy Logserver, OP5 Log Analytics and is supposed to work with opensource Elasticsearch and x-pack.
Dependencies for Centos 7:
# yum install perl-Monitoring-Plugin perl-libwww-perl perl-LWP-Protocol-https perl-JSON perl-String-Escape perl-Data-Dumper
Usage
$ ./check_elasticquery.pl -U|--url= -i|--index=
[ -q|--query= ]
[ -S|--search= ]
[ -T|--timerange= ]
[--timefield=
Usage examples
Total documents in ‘beats*’ index for latest 24 hours. Latest 24 hours is default time range.
./check_elasticquery.pl -U 'http://user:password@localhost:9200' -i 'beats*'
Execute saved search named protection for latest 15 minutes. By default it checks @timestamp field, you can change it in –timefield option.
./check_elasticquery.pl -U 'http://user:password@localhost:9200' -i 'beats*' -S 'protection' -T 'now:now-15m'
As above plus show one latest document.
./check_elasticquery.pl -U 'http://user:password@localhost:9200' -i 'beats*' -S 'protection' -T 'now:now-15m' -D 1
As above plus filter output to selected fields.
./check_elasticquery.pl -U 'http://user:password@localhost:9200' -i 'beats*' -S 'protection' -T 'now:now-15m' -D 1 -f message,timestamp
As above plus limit output fields value to 100 characters.
./check_elasticquery.pl -U 'http://user:password@localhost:9200' -i 'beats*' -S 'protection' -T 'now:now-15m' -D 1 -f message,timestamp -l 100
Execute lucene query.
./check_elasticquery.pl -U 'http://user:password@localhost:9200' -i 'beats*' -q 'beat.name:example.com' -T 'now:now-15m' -D 1 -f message,timestamp
Execute json query. Time range option wouldn’t work. You should define time range in query.
./check_elasticquery.pl -U 'http://user:password@localhost:9200' -i 'beats*' -j -q ' { "size": 0, "query": { "bool": { "must": [ { "query_string": { "query": "task:\"Special Logon\"", "analyze_wildcard": true, "default_field": "*" } }, { "range": { "@timestamp": { "gte": "now-1d/d", "lte": "now/d" } } } ] } } } '