如何查询Elasticsearch以获取特定的metricbeatdata?

时间:2017-01-11 13:02:50

标签: python elasticsearch metricbeat

在我目前的设置中,我在我的网络中运行了elasticsearch 192.168.1.35:9200以及192.168.1.40上的一个度量标准,它从该计算机收集指标(192.168.1.40)。我的metricbeat.yml看起来像这样

metricbeat.modules:
- module: system
  metricsets:
    - core
    - cpu
    - filesystem
    - memory
    - network
    - process
  cgroups: true
  enabled: true
  period: 10
  procs: [".*"]
  cpu_ticks: false


output.elasticsearch:
  hosts: ['192.68.1.35:9200']

在我的python代码中,我使用Elasticsearch API来查询我的Elasticsearch:

def es_match_all():
    elasticsearch = Elasticsearch(
    ['192.168.1.35'],
    port=9200,
    )
    result = elasticsearch.search(index='metricbeat-*', body={"query":{"match_all": {}}})
    print(result)

调用此方法时,我得到了我想要的结果。我在下面打印了一个较短的版本:

{"hits": {"total": 2375277, "hits": [{"_id": "AVmI873zkPW_EI4mzGOc", "_source": {"beat": {"hostname": "ip-172-31-53-117", "name": "ip-172-31-53-117", "version": "5.1.1"}, "system": {"memory": {"total": 3945406464, "free": 2389319680, "swap": {"total": 0, "free": 0, "used": {"bytes": 0, "pct": 0.0}}, "used": {"bytes": 1556086784, "pct": 0.3944}, "actual": {"free": 3663335424, "used": {"bytes": 282071040, "pct": 0.0715}}}}, "type": "metricsets", "@timestamp": "2017-01-10T15:16:32.108Z", "metricset": {"module": "system", "name": "memory", "rtt": 97}}, "_score": 1.0, "_type": "metricsets", "_index": "metricbeat-2017.01.10"} ...

现在我想查询ES以获取特定主机名(ip-172-31-53-117)的一些信息:

def es_match_hostname():
    elasticsearch = Elasticsearch(
    ['192.168.1.35'],
    port=9200,
    )
    result = elasticsearch.search(
        index='metricbeat-*',
        body={"query": {"match": {'hostname': "ip-172-31-53-117"}}}
        )

但是在调用该方法时我得到了以下结果:

{"hits": {"total": 0, "hits": [], "max_score": null}, "_shards": {"total": 10, "failed": 0, "successful": 10}, "took": 11, "timed_out": false}

所以我的ES配置和索引是正确的,但我找不到如何编写正确的查询来获取该信息。在body来电

中,我应该将elasticsearch.search用作declare @start as datetime; declare @end as datetime; set @start = '20100701 10:10:10.125'; set @end = '20100702 10:10:10.225'; select round((cast(@end as float) - cast(@start as float)) * 24 * 3600, 1);

1 个答案:

答案 0 :(得分:2)

我找到了一个使用querystring代替match的解决方案。我在Kibana中显示了我的度量标准,并注意到如果我使用beat.namebeat.hostname,我可以在那里查询。我得到了这段代码:

def es_match_hostname():
    elasticsearch = Elasticsearch(
    ['192.168.1.35'],
    port=9200,
    )
    match = "beat.name: ip-172-31-53-117*"
    result = elasticsearch.search(
        index='metricbeat-*',
        body={"query":{"query_string":{"query": match, "analyze_wildcard":True}}}
        )

通过这样做,我只得到了特定节拍的结果。