8. Additional commands¶
8.1 RSE Core commands¶
8.1.1 Check the cluster health¶
Command:
curl -XGET -H "Content-Type: application/json" http://localhost:9200/_cluster/health?pretty=true
Expected output:
{
"cluster_name" : "rsecore",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 10,
"active_shards" : 20,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
8.1.2 Speed up lifecycly policy check¶
Command to set it to 1 minute:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/_cluster/settings --data '
{
"transient": {
"indices.lifecycle.poll_interval": "1m"
}
}'
8.1.3 Set lifecycly policy speed to default¶
Command to reset the policy:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/_cluster/settings --data '
{
"transient": {
"indices.lifecycle.poll_interval": null
}
}'
8.1.4 List indexes¶
Command to list the indexes:
curl -XGET 'localhost:9200/_cat/indices'
8.1.5 Check cluster diskspace¶
Command to list the cluster diskspace:
curl -XGET 'localhost:9200/_cat/allocation?v&pretty'
8.1.6 Filter on host and time¶
Adjust size for more results.
Command to filter on host and time:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must": [ { "match": { "HOST_FROM": "172.16.30.1" } }, { "range": { "R_ISODATE": { "gte": "2022-01-13T22:45:39.493+00:00" } } } ] } } , "size": 3 }' | jq
8.1.7 View top 10 results¶
Command to view top 10 messages:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search?pretty
8.1.8 View the mapping of the fields¶
Command to view mapping of the fields:
curl -X GET http://127.0.0.1:9200/rse*/_mapping?pretty
8.1.9 Search between times¶
Adjust size for more results.
Command to view output between a start and top time:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must": [ { "match": { "HOST_FROM": "172.16.30.1" } }, { "range": { "R_ISODATE": { "gte": "2022-01-13T22:45:39.493+00:00", "lte": "2022-01-17T22:45:39.493+00:00" } } } ] } } , "size": 3 }' | jq
8.1.10 Search uniq MAC adresses from DHCP index¶
Command to view output of uniq MAC adresses from a DHCP index:
Requires logstash to index
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/logstash-rsx-dhcp*/_search?size=10000 -d '{ "query" : { "bool" : { "should": [ { "match": { "Host_Name": "*NUC00*" } }, { "range": { "@timestamp": { "gte": "now-1d/d" } } } ] } } }' | jq | grep MAC_Address | sort | uniq -d
8.1.11 View 2 exact terms¶
Command to view multiple exact terms:
curl -X POST http://127.0.0.1:9200/rse*/_search -H 'Content-Type:application/json' -d '{
"query": {
"terms" : {
"HOST_FROM" : [ "172.16.30.1", "172.16.30.24" ]
}
}
}' | jq
8.1.12 View 1 exact term¶
Command to view 1 exact term:
curl -X POST http://127.0.0.1:9200/rse*/_search -H 'Content-Type:application/json' -d '{
"query": {
"term" : {
"HOST_FROM" : "172.16.30.1"
}
}
}' | jq
8.1.13 Flush indexes¶
Command to start the flush process of an index makes sure that any data that is currently only persisted in the transaction log is also permanently persisted in Lucene.
curl -XPOST --header 'Content-Type: application/json' http://localhost:9200/_flush?wait_if_ongoing | jq
or:
curl -XPOST --header 'Content-Type: application/json' http://localhost:9200/_flush?wait_if_ongoing | jq
Flush a set or a single index:
Note: use wildcard do group the indexes.
curl -XPOST --header 'Content-Type: application/json' http://localhost:9200/rse*/_flush | jq
8.1.14 Delete index¶
Command to delete a single index:
Index = logstash-rsx-2020.03.28
curl -XDELETE http://localhost:9200/logstash-rsx-2020.03.28 | jq
8.1.15 View license¶
Command to view the license:
curl -XGET 'http://localhost:9200/_license?pretty'
8.1.16 Lite search a value on multiple fields¶
Command to filter a single value on all fields:
curl -XGET 'localhost:9200/_all/_search?q=172.16.30.1&pretty'
8.1.17 Lite search a single value for 1 field¶
Command to filter a single value within 1 field:
curl -XGET 'localhost:9200/_all/_search?q=HOST_FROM:172.16.30.1&pretty'
8.1.18 Example searches¶
Create search query for message field:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "match" : { "MESSAGE": "172.16.30.1" } } }' | jq
or
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must": { "match": { "MESSAGE": "172.16.30.1" } } } } }' | jq
Exclude result based on a single word:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must_not": { "match": { "MESSAGE": "172.16.30.1" } } } } }' | jq
8.1.19 Advanced searches¶
Command to exclude a value and filter down a host within a specific time range:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must_not" : [ { "match" : { "PROGRAM" : "dhcpd" } } ], "filter" : [ { "term": { "HOST_FROM" : "172.16.30.1" } }, { "range": { "R_ISODATE": { "gte": "2022-08-06T10:13:00.000+00:00", "lte": "2022-08-06T10:20:00.000+00:00" } } } ] } } , "size": 300 }' | jq
Command to filter down a value within a specific time range using OR:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "should": [ { "match": { "MESSAGE": "172.16.30.1" } }, { "range": { "R_ISODATE": { "gt": "2022-08-06T10:13:00.000+00:00", "lt": "2022-08-06T10:20:00.000+00:00||+1M" } } } ] } } }' | jq
Command to filter down a value within a specific time range using AND (This query uses authentication):
curl -XGET --header 'Content-Type: application/json' http://elastic:elastic@localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must": [ { "match": { "MESSAGE": "marcel" } }, { "range": { "ISODATE": { "gt": "2022-08-12T06:50:14+00:00", "lt": "2022-08-12T06:52:14+00:00" } } } ] } } , "size": 300 }' | jq -r -c '.hits.hits[]._source.MESSAGE'
Command to exclude a value and filter down multiple hosts within a specific time range:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must_not" : [ { "match" : { "PROGRAM" : "dhcpd" } } ], "filter" : [ { "terms": { "HOST_FROM" : [ "172.16.30.1", "172.16.30.24" ] } }, { "range": { "R_ISODATE": { "gte": "2022-08-06T10:13:00.000+00:00", "lte": "2022-08-06T10:20:00.000+00:00" } } } ] } } , "size": 300 }' | jq
Search for value on multiple fields:
Note: Both the fields must match the value.
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "multi_match" : { "query": "172.16.30.1", "fields": [ "MESSAGE", "HOST_FROM" ] } } }' | jq
Search results after data and time with a value using OR:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "should": [ { "match": { "MESSAGE": "172.16.30.1" } }, { "range": { "R_ISODATE": { "gte": "2022-08-06T10:13:00.000+00:00" } } } ] } } }' | jq
Search results after data and time with a value using AND:
curl -XGET --header 'Content-Type: application/json' http://elastic:elastic@localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "must": [ { "match": { "MESSAGE": "marcel" } }, { "match": { "MESSAGE": "VPN" } }, { "range": { "ISODATE": { "gt": "2022-08-12T06:50:14+00:00", "lt": "2022-08-12T06:52:14+00:00" } } } ] } } , "size": 300 }' | jq -r -c '.hits.hits[]._source.MESSAGE'
Search results of the last hour with a value:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "bool" : { "should": [ { "match": { "MESSAGE": "172.16.30.1" } }, { "range": { "R_ISODATE": { "gte": "now-1h" } } } ] } } }' | jq
8.1.20 Validate query’s¶
Check if query’s are valid:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_validate/query -d '{ "query" : { "match" : { "MESSAGE": "172.16.30.1" } } }' | jq
Check if query is valid with explaination:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_validate/query?explain -d '{ "query" : { "match" : { "MESSAGE": "172.16.30.1" } } } }' | jq
8.1.21 Sort results¶
Filter value when using sort:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse*/_search -d '{ "query" : { "match" : { "MESSAGE": "172.16.30.1" } }, "sort": { "_score": { "order": "desc" } } }' | jq
Filter value when using 2 sorts:
curl -XGET --header 'Content-Type: application/json' 'http://localhost:9200/rse*/_search?sort=R_ISODATE:desc&sort=_score&q=172.16.30.1' | jq
8.1.22 Indexes and aliases¶
Create a index:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/rse-dummy | jq
Create a alias on a index:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/rse-dummy/_alias/rse-dummy2 | jq
View alias:
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/rse-dummy/_alias/* | jq
Example alias usage:
curl -XDELETE --header "Content-Type: application/json" http://localhost:9200/rsx-netflow*
and:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/rsx-netflow-000001?pretty -d ' { "aliases": { "rsx-netflow":{ "is_write_index": true } } }'
8.1.23 Refresh indexes¶
Refresh all indexes:
curl -XPOST --header 'Content-Type: application/json' http://localhost:9200/_refresh | jq
Change refresh of index to 30 seconds:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/rse-dummy/_settings -d '{ "settings": { "refresh_interval": "30s" }}' | jq
Disable refresh interval for index:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/rse-dummy/_settings -d '{ "settings": { "refresh_interval": "-1" }}' | jq
Restore default refresh interval for index:
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/rse-dummy/_settings -d '{ "settings": { "refresh_interval": "1s" }}' | jq
8.1.24 Example lifecycle policy¶
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/_ilm/policy/netflow-policy -d ' { "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "rollover": { "max_primary_shard_size": "50gb", "max_age": "14d" } } }, "delete": { "min_age": "14d", "actions": { "delete": { "delete_searchable_snapshot": true } } } } } }' | jq
and:
curl -XPUT --header 'Content-Type: application/json' http://127.0.0.1:9200/_template/netflow-temp -d ' { "template":"rsx-netflow*", "settings": { "number_of_replicas": 1, "number_of_shards": 1, "index.lifecycle.name": "netflow-policy", "index.lifecycle.rollover_alias": "rsx-netflow" } }' | jq
8.1.25 Dump latest 10000 results sorted to the CLI¶
The following is a example commando with authentication. If needed, replace the index and authentication values.
curl -XGET --header 'Content-Type: application/json' http://elastic:elastic@localhost:9200/rse*/_search -d '{ "size": 10000, "sort": { "R_ISODATE": "desc"} }' | jq -r -c '.hits.hits[]._source | "\(.DATE) \(.MESSAGE)"' | tac
8.2 RSC Core commands¶
8.2.1 Search multiple strings of text¶
grep -h "switch1\|switch2\|switch3" /var/log/remote_syslog/* | more
8.2.2 Search for the top 15 messages¶
egrep -o "%.+?: "/var/log/remote_syslog/remote_syslog.log | sort | uniq -c | sort -nr | head -n 15
8.3 Unsupported commands¶
8.3.1 Disable NTP and change date¶
timedatectl set-time '2022-01-20'
timedatectl set-ntp 0