finish off the last bits
This commit is contained in:
parent
756fa71841
commit
da2e4bd230
|
|
@ -1,7 +1,8 @@
|
|||
Revision history for Search-ESsearcher
|
||||
|
||||
0.4.0 2019-06-05/05:0
|
||||
- Make host searching work better for syslog. Thanks, Kevin Greene.
|
||||
- Make host searching work better. Thanks, Kevin Greene.
|
||||
- Add the aonHost.
|
||||
|
||||
0.3.1 2019-06-05/05:0
|
||||
- Add missing options to postfix pod.
|
||||
|
|
|
|||
|
|
@ -17,16 +17,15 @@ Search::ESsearcher - Provides a handy system for doing templated elasticsearch s
|
|||
|
||||
=head1 VERSION
|
||||
|
||||
Version 0.3.1
|
||||
Version 0.4.0
|
||||
|
||||
=cut
|
||||
|
||||
our $VERSION = '0.3.1';
|
||||
our $VERSION = '0.4.0';
|
||||
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
|
||||
use Search::ESsearcher;
|
||||
|
||||
my $ess = Search::ESsearcher->new();
|
||||
|
|
@ -1065,13 +1064,43 @@ So the string "postfix,spamd" would become
|
|||
Can be used like below.
|
||||
|
||||
[% USE JSON ( pretty => 1 ) %]
|
||||
[% DEFAULT o.program = "*" %]
|
||||
|
||||
[% IF o.program %]
|
||||
{"query_string": {
|
||||
"default_field": "program",
|
||||
"query": [% aon( o.program ).json %]
|
||||
}
|
||||
},
|
||||
[% END %]
|
||||
|
||||
This function is only available for the search template.
|
||||
|
||||
=head2 aonHost
|
||||
|
||||
This is AND, OR, or NOT sub that handles
|
||||
the following in a string, transforming them
|
||||
from the punctuation to the logic.
|
||||
|
||||
, OR
|
||||
+ AND
|
||||
! NOT
|
||||
|
||||
So the string "foo.,mail.bar." would become
|
||||
"/foo./ OR /mail.bar./".
|
||||
|
||||
This is best used with $field.keyword.
|
||||
|
||||
Can be used like below.
|
||||
|
||||
[% USE JSON ( pretty => 1 ) %]
|
||||
|
||||
[% IF o.host %]
|
||||
{"query_string": {
|
||||
"default_field": "host.keyword",
|
||||
"query": [% aonHost( o.host ).json %]
|
||||
}
|
||||
},
|
||||
[% END %]
|
||||
|
||||
This function is only available for the search template.
|
||||
|
||||
|
|
|
|||
|
|
@ -10,11 +10,11 @@ Search::ESsearcher::Templates::syslog - Provides postfix support for essearcher.
|
|||
|
||||
=head1 VERSION
|
||||
|
||||
Version 0.0.1
|
||||
Version 0.1.0
|
||||
|
||||
=cut
|
||||
|
||||
our $VERSION = '0.0.1';
|
||||
our $VERSION = '0.1.0';
|
||||
|
||||
=head1 LOGSTASH
|
||||
|
||||
|
|
@ -51,10 +51,30 @@ the postfix messages. These files are included with this as well.
|
|||
|
||||
The syslog server.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --hostx <log host>
|
||||
|
||||
The syslog server.
|
||||
|
||||
Does not run the it through aonHost.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --src <src server>
|
||||
|
||||
The source server sending to the syslog server.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --srcx <src server>
|
||||
|
||||
The source server sending to the syslog server.
|
||||
|
||||
Does not run the it through aonHost.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --size <count>
|
||||
|
||||
The number of items to return.
|
||||
|
|
@ -173,6 +193,21 @@ These may be used with program, facility, pid, or host.
|
|||
|
||||
results: postfix OR spamd
|
||||
|
||||
=head1 HOST AND, OR, or NOT shortcut
|
||||
|
||||
, OR
|
||||
+ AND
|
||||
! NOT
|
||||
|
||||
A list of hosts seperated by any of those will be transformed.
|
||||
A host name should always end in a period unless it is a FQDN.
|
||||
|
||||
These may be used with host and src.
|
||||
|
||||
example: --src foo.,mail.bar.
|
||||
|
||||
results: /foo./ OR /mail.bar./
|
||||
|
||||
=head1 date
|
||||
|
||||
date
|
||||
|
|
@ -207,15 +242,29 @@ return '
|
|||
},
|
||||
[% IF o.host %]
|
||||
{"query_string": {
|
||||
"default_field": "host",
|
||||
"query": [% aon( o.host ).json %]
|
||||
"default_field": "host.keyword",
|
||||
"query": [% aonHost( o.host ).json %]
|
||||
}
|
||||
},
|
||||
[% END %]
|
||||
[% IF o.hostx %]
|
||||
{"query_string": {
|
||||
"default_field": "host.keyword",
|
||||
"query": [% o.hostx.json %]
|
||||
}
|
||||
},
|
||||
[% END %]
|
||||
[% IF o.src %]
|
||||
{"query_string": {
|
||||
"default_field": "logsource",
|
||||
"query": [% o.src.json %]
|
||||
"default_field": "logsource.keyword",
|
||||
"query": [% aonHost( o.src ).json %]
|
||||
}
|
||||
},
|
||||
[% END %]
|
||||
[% IF o.srcx %]
|
||||
{"query_string": {
|
||||
"default_field": "logsource.keyword",
|
||||
"query": [% o.srcx.json %]
|
||||
}
|
||||
},
|
||||
[% END %]
|
||||
|
|
@ -361,6 +410,8 @@ sub options{
|
|||
return '
|
||||
host=s
|
||||
src=s
|
||||
hostx=s
|
||||
srcx=s
|
||||
size=s
|
||||
showpid
|
||||
mid=s
|
||||
|
|
@ -531,7 +582,9 @@ sub help{
|
|||
return '
|
||||
|
||||
--host <log host> The syslog server.
|
||||
--hostx <log host> The syslog server. This is passed raw.
|
||||
--src <src server> The source server sending to the syslog server.
|
||||
--srcx <src server> The source server sending to the syslog server. This is passed raw.
|
||||
--size <count> The number of items to return.
|
||||
--pid <pid> The PID that sent the message.
|
||||
|
||||
|
|
@ -583,6 +636,22 @@ example: --program postfix,spamd
|
|||
|
||||
|
||||
|
||||
HOST AND, OR, or NOT shortcut
|
||||
, OR
|
||||
+ AND
|
||||
! NOT
|
||||
|
||||
A list of hosts seperated by any of those will be transformed.
|
||||
A host name should always end in a period unless it is a FQDN.
|
||||
|
||||
These may be used with host and src.
|
||||
|
||||
example: --src foo.,mail.bar.
|
||||
|
||||
results: /foo./ OR /mail.bar./
|
||||
|
||||
|
||||
|
||||
field and fieldv
|
||||
|
||||
The search template is written with the expectation that logstash is setting
|
||||
|
|
|
|||
|
|
@ -10,11 +10,11 @@ Search::ESsearcher::Templates::syslog - Provides syslog support for essearcher.
|
|||
|
||||
=head1 VERSION
|
||||
|
||||
Version 1.0.0
|
||||
Version 1.1.0
|
||||
|
||||
=cut
|
||||
|
||||
our $VERSION = '1.0.0';
|
||||
our $VERSION = '1.1.0';
|
||||
|
||||
=head1 LOGSTASH
|
||||
|
||||
|
|
@ -47,10 +47,30 @@ use the command line options field and fieldv.
|
|||
|
||||
The syslog server.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --hostx <log host>
|
||||
|
||||
The syslog server.
|
||||
|
||||
Does not run the it through aonHost.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --src <src server>
|
||||
|
||||
The source server sending to the syslog server.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --srcx <src server>
|
||||
|
||||
The source server sending to the syslog server.
|
||||
|
||||
Does not run the it through aonHost.
|
||||
|
||||
The search is done with .keyword appended to the field name.
|
||||
|
||||
=head2 --program <program>
|
||||
|
||||
The name of the daemon/program in question.
|
||||
|
|
@ -113,6 +133,22 @@ These may be used with program, facility, pid, or host.
|
|||
|
||||
results: postfix OR spamd
|
||||
|
||||
=head1 HOST AND, OR, or NOT shortcut
|
||||
|
||||
, OR
|
||||
+ AND
|
||||
! NOT
|
||||
|
||||
A list of hosts seperated by any of those will be transformed.
|
||||
A host name should always end in a period unless it is a FQDN.
|
||||
|
||||
These may be used with host and src.
|
||||
|
||||
example: --src foo.,mail.bar.
|
||||
|
||||
results: /foo./ OR /mail.bar./
|
||||
|
||||
|
||||
=head1 date
|
||||
|
||||
date
|
||||
|
|
@ -358,7 +394,10 @@ A host name should always end in a period unless it is a FQDN.
|
|||
|
||||
These may be used with host and src.
|
||||
|
||||
example: --src wap0.foo.,printer.,a.foo.bar
|
||||
example: --src foo.,mail.bar.
|
||||
|
||||
results: /foo./ OR /mail.bar./
|
||||
|
||||
|
||||
|
||||
field and fieldv
|
||||
|
|
|
|||
Loading…
Reference in New Issue