** Work in progress **

Description

A cli tool to query an elasticsearch host for logstash information. Because let's face it, we're CLI junkies :)

Mucho inspired by a gist of the eminent @lusis - https://gist.github.com/1388077

Installation

As a gem

$ gem install logstash-cli

From github

Tested with rvm and ruby-1.8.7

$ git clone git://github.com/jedi4ever/logstash-cli.git
$ cd logstash-cli
$ gem install bundler
$ bundle install

Usage

Using the Gem

# If you no rvm
$ bundle exec bin/logstash-cli

# If you have rvm , there is an alias in .rvmrc
$ logstash-cli

Using the Github version - through bundler

$ bundle exec bin/logstash-cli 

Commandline Options

Grep

Usage:
  logstash-cli grep PATTERN

Options:
  [--index-prefix=INDEX_PREFIX]  # Logstash index prefix
                                 # Default: logstash-
  [--fields=FIELDS]              # Logstash Fields to show
                                 # Default: message,program
  [--meta=META]                  # Meta Logstash fields to show
                                 # Default: type,message
  [--to=TO]                      # End date
                                 # Default: Today in YYYY-MM-DD HH:MM:SS form (the time is optional)
  [--delim=DELIM]                # plain or csv delimiter
                                 # Default: |
  [--format=FORMAT]              # Format to use for exporting
                                 # Default: csv
  [--from=FROM]                  # Begin date
                                 # Default: Today in YYYY-MM-DD HH:MM:SS form (the time is optional)
  [--size=SIZE]                  # Number of results to return
                                 # Default: 500
  [--esurl=ESURL]                # URL to connect to elasticsearch
                                 # Default: http://localhost:9200
  [--last=LAST]                  # Specify period since now (Examples: 10min, 3hrs, 4days, 1wk, 1yr)

Search logstash for a pattern

Tail

Usage:
  logstash-cli tail

Options:
      [--host=HOST]                    # Host to connect to AMQP
                                       # Default: localhost
  --amqpurl, [--url=URL]               # Alternate way to specify settings via an AMQP Url f.i. amqp://logstash:foopass@localhost:5672. 
 This takes precendence over other settings. Note that username and password need to be percentage encoded(URL encoded) in case of special characters
      [--auto-delete]                  # Autodelete Exchange or not
      [--vhost=VHOST]                  # VHost to connect to AMQP
                                       # Default: /
      [--persistent]                   # Persistent Exchange or not
      [--ssl]                          # Enable SSL to connect to AMQP
      [--user=USER]                    # User to connect to AMQP
                                       # Default: logstash
      [--meta=META]                    # Meta Logstash fields to show
                                       # Default: timestamp,type,message
      [--format=FORMAT]                # Format to use for exporting (plain,csv,json)
                                       # Default: csv
      [--key=KEY]                      # Routing key
                                       # Default: #
      [--port=PORT]                    # Port to connect to AMQP
                                       # Default: 5672
      [--exchange=EXCHANGE]            # Exchange name
                                       # Default: rawlogs
      [--password=PASSWORD]            # Password to connect to AMQP
                                       # Default: foo
      [--delim=DELIM]                  # plain or csv delimiter
                                       # Default: |
      [--exchange-type=EXCHANGE_TYPE]  # Exchange Type
                                       # Default: direct
      [--durable]                      # Durable Exchange or not

Stream a live feed via AMQP

Count

Usage:
  logstash-cli count PATTERN --countfield=COUNTFIELD

Options:
  [--meta=META]                  # Meta Logstash fields to show
  [--last=LAST]                  # Specify period since now f.i. 1d
  [--from=FROM]                  # Begin date
                                 # Default: Today in YYYY-MM-DD form
  [--delim=DELIM]                # plain or csv delimiter
                                 # Default: |
  --countfield=COUNTFIELD        # Logstash field to count
  [--countsize=COUNTSIZE]        # Number of most frequent values to return
                                 # Default: 50
  [--format=FORMAT]              # Format to use for exporting (plain,csv,json)
                                 # Default: csv
  [--to=TO]                      # End date
                                 # Default: Today in YYYY-MM-DD form
  [--fields=FIELDS]              # Logstash fields to show
  [--size=SIZE]                  # Number of results per index to show
                                 # Default: 10
  [--esurl=ESURL]                # URL to connect to elasticsearch
                                 # Default: http://localhost:9200
  [--index-prefix=INDEX_PREFIX]  # Logstash index prefix
                                 # Default: logstash-

Return most frequent values of a field within a pattern and optionally show associated fields

Examples

$ logstash-cli grep --esurl="http://logger-1.jedi.be:9200" '@message:jedi4ever AND program:sshd' --last 5d --format csv --delim ':'

$ logstash-cli tail --amqpurl="amqp://logger-1.jedi.be:5672" --key="program.sshd"

$ logstash-cli count --esurl="http://logger-1.jedi.be:9200" '@message:jedi4ever' --countfield=program

TODO

  • find a way to query existing instances
  • find a way to get the results by streaming instead of loading all in memory (maybe pagination will help here)
  • produce ascii histograms
  • or sparklines