working nicely for syslog now :3

This commit is contained in:
Zane C. B-H 2019-05-31 05:38:14 -05:00
parent 987002d8e8
commit f799cb93e0
3 changed files with 42 additions and 26 deletions

View File

@ -12,11 +12,13 @@ my $output;
my $elastic;
my $module;
my $invert;
my $print_search;
GetOptions(
's=s' => \$search,
'g=s' => \$options,
'o=s' => \$output,
'e=s' => \$elastic,
'S' => \$print_search,
'm=s' => \$module,
'i' => \$invert,
);
@ -45,7 +47,11 @@ $ess->get_options;
# reels in the search template
$ess->search_set( $search );
$ess->load_search;
$ess->search_fill_in;
my $filled_in=$ess->search_fill_in;
if ( $print_search ){
print $filled_in;
exit 255;
}
# reels in the elastic config
$ess->elastic_set( $elastic );

View File

@ -677,23 +677,31 @@ sub search_fill_in{
my $vars={
o=>$self->{parsed_options},
aon=>sub{
$_[0]=~s/\+/\ AND\ /;
$_[0]=~s/\,/\ OR\ /;
$_[0]=~s/\!/\ NOT\ /;
return $_[0];
},
pd=>sub{
if( $_[0] =~ /^raw\:/ ){
$_[0] =~ s/^raw\://;
return $_[0];
if( $_[0] =~ /^u\:/ ){
$_[0] =~ s/^u\://;
$_[0]=~s/m$/minutes/;
$_[0]=~s/M$/months/;
$_[0]=~s/d$/days/;
$_[0]=~s/h$/hours/;
$_[0]=~s/h$/weeks/;
$_[0]=~s/y$/years/;
$_[0]=~s/([0123456789])$/$1seconds/;
$_[0]=~s/([0123456789])s$/$1seconds/;
my $secs="";
eval{ $secs=parsedate( $_[0] ); };
return $secs;
}elsif( $_[0] =~ /^\-/ ){
return 'now'.$_[0];
}
$_[0]=~s/m$/minutes/;
$_[0]=~s/M$/months/;
$_[0]=~s/d$/days/;
$_[0]=~s/h$/hours/;
$_[0]=~s/h$/weeks/;
$_[0]=~s/y$/years/;
$_[0]=~s/([0123456789])$/$1seconds/;
$_[0]=~s/([0123456789])s$/$1seconds/;
my $secs="";
eval{ $secs=parsedate( $_[0] ); };
return $secs;
},
return $_[0];
},
};
my $processed;
@ -702,7 +710,7 @@ sub search_fill_in{
$self->{search_filled_in}=$processed;
$self->{search_usable}=undef;
#print $processed;
eval {
my $decoded=$self->{j}->decode( $processed );
$self->{search_hash}=$decoded;

View File

@ -61,6 +61,8 @@ return '
[% DEFAULT o.pid = "*" %]
[% DEFAULT o.msg = "*" %]
[% DEFAULT o.size = "50" %]
[% DEFAULT o.field = "type" %]
[% DEFAULT o.fieldv = "syslog" %]
{
"index": "logstash-*",
"body": {
@ -69,35 +71,35 @@ return '
"bool": {
"must": [
{
"term": { "type": "syslog" } },
"term": { [% o.field.json %]: [% o.fieldv.json %] } },
{"query_string": {
"default_field": "host",
"query": [% o.host.json %]
"query": [% aon( o.host ).json %]
}
},
{"query_string": {
"default_field": "logsource",
"query": [% o.src.json %]
"query": [% aon( o.src ).json %]
}
},
{"query_string": {
"default_field": "program",
"query": [% o.program.json %]
"query": [% aon( o.program ).json %]
}
},
{"query_string": {
"default_field": "facility_label",
"query": [% o.facility.json %]
"query": [% aon( o.facility ).json %]
}
},
{"query_string": {
"default_field": "severity_label",
"query": [% o.severity.json %]
"query": [% aon( o.severity ).json %]
}
},
{"query_string": {
"default_field": "pid",
"query": [% o.pid.json %]
"query": [% aon( o.pid ).json %]
}
},
{"query_string": {
@ -169,6 +171,6 @@ msg=s
sub output{
return '[% c("cyan") %][% f.timestamp %] [% c("bright_blue") %][% f.logsource %] '.
'[% c("bright_green") %][% f.program %][[% c("bright_white") %][% f.pid %][% c("bright_green") %]] '.
'[% c("white") %][% f.message %]';
'[% c("bright_green") %][% f.program %][% c("bright_magenta") %][[% c("bright_yellow") %]'.
'[% f.pid %][% c("bright_magenta") %]] [% c("white") %][% f.message %]';
}