working nicely for syslog now :3
This commit is contained in:
parent
987002d8e8
commit
f799cb93e0
|
@ -12,11 +12,13 @@ my $output;
|
|||
my $elastic;
|
||||
my $module;
|
||||
my $invert;
|
||||
my $print_search;
|
||||
GetOptions(
|
||||
's=s' => \$search,
|
||||
'g=s' => \$options,
|
||||
'o=s' => \$output,
|
||||
'e=s' => \$elastic,
|
||||
'S' => \$print_search,
|
||||
'm=s' => \$module,
|
||||
'i' => \$invert,
|
||||
);
|
||||
|
@ -45,7 +47,11 @@ $ess->get_options;
|
|||
# reels in the search template
|
||||
$ess->search_set( $search );
|
||||
$ess->load_search;
|
||||
$ess->search_fill_in;
|
||||
my $filled_in=$ess->search_fill_in;
|
||||
if ( $print_search ){
|
||||
print $filled_in;
|
||||
exit 255;
|
||||
}
|
||||
|
||||
# reels in the elastic config
|
||||
$ess->elastic_set( $elastic );
|
||||
|
|
|
@ -677,23 +677,31 @@ sub search_fill_in{
|
|||
|
||||
my $vars={
|
||||
o=>$self->{parsed_options},
|
||||
aon=>sub{
|
||||
$_[0]=~s/\+/\ AND\ /;
|
||||
$_[0]=~s/\,/\ OR\ /;
|
||||
$_[0]=~s/\!/\ NOT\ /;
|
||||
return $_[0];
|
||||
},
|
||||
pd=>sub{
|
||||
if( $_[0] =~ /^raw\:/ ){
|
||||
$_[0] =~ s/^raw\://;
|
||||
return $_[0];
|
||||
if( $_[0] =~ /^u\:/ ){
|
||||
$_[0] =~ s/^u\://;
|
||||
$_[0]=~s/m$/minutes/;
|
||||
$_[0]=~s/M$/months/;
|
||||
$_[0]=~s/d$/days/;
|
||||
$_[0]=~s/h$/hours/;
|
||||
$_[0]=~s/h$/weeks/;
|
||||
$_[0]=~s/y$/years/;
|
||||
$_[0]=~s/([0123456789])$/$1seconds/;
|
||||
$_[0]=~s/([0123456789])s$/$1seconds/;
|
||||
my $secs="";
|
||||
eval{ $secs=parsedate( $_[0] ); };
|
||||
return $secs;
|
||||
}elsif( $_[0] =~ /^\-/ ){
|
||||
return 'now'.$_[0];
|
||||
}
|
||||
$_[0]=~s/m$/minutes/;
|
||||
$_[0]=~s/M$/months/;
|
||||
$_[0]=~s/d$/days/;
|
||||
$_[0]=~s/h$/hours/;
|
||||
$_[0]=~s/h$/weeks/;
|
||||
$_[0]=~s/y$/years/;
|
||||
$_[0]=~s/([0123456789])$/$1seconds/;
|
||||
$_[0]=~s/([0123456789])s$/$1seconds/;
|
||||
my $secs="";
|
||||
eval{ $secs=parsedate( $_[0] ); };
|
||||
return $secs;
|
||||
},
|
||||
return $_[0];
|
||||
},
|
||||
};
|
||||
|
||||
my $processed;
|
||||
|
@ -702,7 +710,7 @@ sub search_fill_in{
|
|||
$self->{search_filled_in}=$processed;
|
||||
|
||||
$self->{search_usable}=undef;
|
||||
#print $processed;
|
||||
|
||||
eval {
|
||||
my $decoded=$self->{j}->decode( $processed );
|
||||
$self->{search_hash}=$decoded;
|
||||
|
|
|
@ -61,6 +61,8 @@ return '
|
|||
[% DEFAULT o.pid = "*" %]
|
||||
[% DEFAULT o.msg = "*" %]
|
||||
[% DEFAULT o.size = "50" %]
|
||||
[% DEFAULT o.field = "type" %]
|
||||
[% DEFAULT o.fieldv = "syslog" %]
|
||||
{
|
||||
"index": "logstash-*",
|
||||
"body": {
|
||||
|
@ -69,35 +71,35 @@ return '
|
|||
"bool": {
|
||||
"must": [
|
||||
{
|
||||
"term": { "type": "syslog" } },
|
||||
"term": { [% o.field.json %]: [% o.fieldv.json %] } },
|
||||
{"query_string": {
|
||||
"default_field": "host",
|
||||
"query": [% o.host.json %]
|
||||
"query": [% aon( o.host ).json %]
|
||||
}
|
||||
},
|
||||
{"query_string": {
|
||||
"default_field": "logsource",
|
||||
"query": [% o.src.json %]
|
||||
"query": [% aon( o.src ).json %]
|
||||
}
|
||||
},
|
||||
{"query_string": {
|
||||
"default_field": "program",
|
||||
"query": [% o.program.json %]
|
||||
"query": [% aon( o.program ).json %]
|
||||
}
|
||||
},
|
||||
{"query_string": {
|
||||
"default_field": "facility_label",
|
||||
"query": [% o.facility.json %]
|
||||
"query": [% aon( o.facility ).json %]
|
||||
}
|
||||
},
|
||||
{"query_string": {
|
||||
"default_field": "severity_label",
|
||||
"query": [% o.severity.json %]
|
||||
"query": [% aon( o.severity ).json %]
|
||||
}
|
||||
},
|
||||
{"query_string": {
|
||||
"default_field": "pid",
|
||||
"query": [% o.pid.json %]
|
||||
"query": [% aon( o.pid ).json %]
|
||||
}
|
||||
},
|
||||
{"query_string": {
|
||||
|
@ -169,6 +171,6 @@ msg=s
|
|||
|
||||
sub output{
|
||||
return '[% c("cyan") %][% f.timestamp %] [% c("bright_blue") %][% f.logsource %] '.
|
||||
'[% c("bright_green") %][% f.program %][[% c("bright_white") %][% f.pid %][% c("bright_green") %]] '.
|
||||
'[% c("white") %][% f.message %]';
|
||||
'[% c("bright_green") %][% f.program %][% c("bright_magenta") %][[% c("bright_yellow") %]'.
|
||||
'[% f.pid %][% c("bright_magenta") %]] [% c("white") %][% f.message %]';
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue