I am looking to create a script that will query multiple hostnames and provide a not found result if it is not in the index and provide the host and count of documents on the server if it is found. What I have so far seems to work, but I am unsure of how to make it query multiple servers and provide the correct result. Any help would be greatly appreciated.
GET /index1*/_search
{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-7d",
"lt": "now"
}
}
},
{
"term": {
"host.name": "server1"
}
}
]
}
},
"aggregations": {
"hosts": {
"composite": {
"size": 1000,
"sources": [
{
"hostname": {
"terms": {
"field": "host.name"
}
}
}
]
}
}
},
"size": 0CodePudding user response:
Great start so far! You can simply change the term query into a terms one. Also, you need to leverage the missing bucket feature for the not found result:
GET /index1*/_search
{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-7d",
"lt": "now"
}
}
},
{
"terms": {
"host.name": ["server1", "server2", "server3"]
}
}
]
}
},
"aggregations": {
"hosts": {
"composite": {
"size": 1000,
"sources": [
{
"hostname": {
"terms": {
"field": "host.name",
"missing_bucket": true,
"missing_order": "last"
}
}
}
]
}
}
},
"size": 0
}
All the servers which have documents during the given time interval will have buckets, all the others will be in the "null" bucket.