For anyone who uses Logstash, chances are you also use Kibana (http://www.elasticsearch.org/overview/kibana/). Kibana is a nice Web UI for querying Elasticsearch. It is Logstash’s official UI. One major gripe with the current state of Kibana is that it does not support exporting search results. I wrote a tool to handle this problem while we wait for the real feature.
As this issue will suggest, many people want Kibana to support exporting- https://github.com/elasticsearch/kibana/issues/205
Our operations team likes to attach logs to tickets as a means of documenting issues. I wrote a tool in ruby that queries elasticsearch and exports results into CSV (or delimiter of your choice). The project is hosted here: https://github.com/robbydyer/stash-query
The tool is CLI-based, so it’s not exactly the nice button-clicking format that many support type people like, but it’s a nice stop-gap measure.
Install It
UPDATE: I’ve published version 0.1.2 to rubygems.org, so you can simply install it with:
gem install stash-query
You can optionally build your own gem from the source. Download the source from github, build it, then install it.
gem build stash-query.gemspec gem install stash-query-0.1.0.gem
Run It
Usage:
-c, --connect_host [HOST] Logstash host to run query on (defaults to: localhost) -p, --port [PORT] Logstash port (defaults to: 9200) -i, --index-prefix [PREFIX] Index name prefix. Defaults to 'logstash-' -w, --write [FILE] Write output file location (defaults to nil) -d, --debug Debug mode -s, --start [DATE] Start date. Format: YYYY-MM-DDThh:mm:ss.SSSZ. Ex: 2013-12-01T12:00:00.000Z -e, --end [DATE] End date. Format: YYYY-MM-DDThh:mm:ss.SSSZ -q, --query [QUERY] Query string -t, --tags [TAGS] Tags to query. Comma delimited -f, --write-fields [FIELDS] Comma delimited list of Logstash fields to write to output file. Defaults to "message" -l, --delimiter [DELIMITER] Delimiter to use in output file. Defaults to ','
Example:
stash-query -s 2013-12-01T00:00:00.000Z -e 2013-12-02T00:00:00.000Z -t my_tag -q 'message:hello_world' -w /tmp/my_query.txt
DevOps in the Real World 
Hello,
Just a small comment, your documentation is slightly out of date:
gem install stash-query-0.1.0.gem
Should be:
gem install stash-query-0.1.1.gem
Thanks,
Beccy
LikeLike
Robby,
This tool looks awesome, but I can’t get it to run. I am sure its something simple, but I get the below error on CENTOS 6.5
file — stash-query (LoadError)
from /usr/local/rvm/rubies/ruby-1.9.3-p550/lib/ruby/site_ruby/1.9.1/rubygems/core_ext/kernel_require.rb:54:in `require’
from ./stash-query:3:in `’
LikeLike
Does the gem show as being installed? What is your output of:
gem list | grep stash-query
If you’re trying to run the bin file directly from the repo without actually installing the gem, that might cause you some issues.
LikeLike
Hi Robby! Thanks for your work. I had problems during the install:
# gem install stash-query
Fetching: multi_json-1.11.0.gem (100%)
Successfully installed multi_json-1.11.0
Fetching: multipart-post-1.2.0.gem (100%)
Successfully installed multipart-post-1.2.0
Fetching: faraday-0.8.8.gem (100%)
Successfully installed faraday-0.8.8
Fetching: elasticsearch-transport-1.0.7.gem (100%)
Successfully installed elasticsearch-transport-1.0.7
Fetching: elasticsearch-api-1.0.7.gem (100%)
Successfully installed elasticsearch-api-1.0.7
Fetching: elasticsearch-1.0.8.gem (100%)
Successfully installed elasticsearch-1.0.8
Fetching: curb-0.8.6.gem (100%)
Building native extensions. This could take a while…
ERROR: Error installing stash-query:
ERROR: Failed to build gem native extension.
/usr/bin/ruby extconf.rb
mkmf.rb can’t find header files for ruby at /usr/share/include/ruby.h
Gem files will remain installed in /usr/local/share/gems/gems/curb-0.8.6 for inspection.
Results logged to /usr/local/share/gems/gems/curb-0.8.6/ext/gem_make.out
# cat /usr/local/share/gems/gems/curb-0.8.6/ext/gem_make.out
/usr/bin/ruby extconf.rb
mkmf.rb can’t find header files for ruby at /usr/share/include/ruby.h
# gem list | grep stash-query
#
My ruby version:
# yum list installed ruby
Loaded plugins: langpacks, product-id, rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Installed Packages
ruby.x86_64 2.0.0.598-24.el7 @rhel-server7
LikeLike
If I try to build my own gem:
# gem build stash-query.gemspec
Invalid gemspec in [stash-query.gemspec]: No such file or directory – git
ERROR: Error loading gemspec. Aborting.
LikeLike
You might need to install the ruby development package, or the group of development tools.
Look for a package named “ruby-devel” or something like it. You should also install the “development tools” group with yum’s groupinstall:
# yum groupinstall “development tools”
LikeLike
Hey Robby,
This is a great tool, found it very useful. Some of my end users are not as comfortable with the command line, so I created a quick web app to front your tool: https://github.com/wjimenez5271/elasticsearch-web-export. Its got a lot of room for improvement, but its a starting place to get me going. Welcome any feedback you have.
LikeLiked by 1 person
Please hellp
/usr/local/share/gems/gems/progress_bar-1.0.5/lib/progress_bar.rb:18:in `initialize’: Max must be a positive integer (ProgressBar::ArgumentError)
from /usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:223:in `new’
from /usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:223:in `run_query’
from /usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:66:in `initialize’
from /usr/local/share/gems/gems/stash-query-0.1.3/bin/stash-query:71:in `new’
from /usr/local/share/gems/gems/stash-query-0.1.3/bin/stash-query:71:in `’
LikeLike
Hi Nadhiya,
what you are sseing is an error in your query masked by a bug in the code. If your query to ES returns no result, the check fails and it still tries to create a progressbar. This blows up because a progressbar can’t exist on something that will never progress to anything (makes sense?) 😀
I had the same issue and read a bit through the code. The code works fine and is super quick and nice. I had to play around with a few things to fix it. (note: my problem was that I didn’t see the “my_tag” in the example query, if you have that in, and you happen to not have “my_tag” in your tags, it will always blow up).
Start out with a clean query and go step by step. Make sure the dates are valid, make sure the query is valid. Ideally, go to your Kibana setup, choose an absolute time frame and copy paste all info. You only need the flags: -i -f -w – q -e -s -c -p to work. So
Is the host correct?
Is the port correct?
Are your dates valid and do you have data for those dates?
Is your query correct?
Is your Index correct?
Is your outputfile path correct (permissions to write and stuff)
If all of the above are yes, it *should* work just fine.
LikeLike
Hi Robby,
Thank you for filling in the gap in Kibana function with stash-query.. Really – very much appreciated..
I’m having a difficult time getting it to run against my logstash.. I’m wondering if you’ve ever encountered this…
user@gogosan:~$ stash-query -d -c myserver.my.domain.name.com -p 5000 -s 2015-12-09T00:00:00.000Z -e 2015-12-11T00:00:00.000Z -q ‘*searchstring’ -t message -w /tmp/query.txt
Using these indices:
/home/user/.rbenv/versions/2.2.4/lib/ruby/gems/2.2.0/gems/stash-query-0.1.3/lib/stash-query/query.rb:217:in `run_query’: undefined method `[]’ for nil:NilClass (NoMethodError)
from /home/user/.rbenv/versions/2.2.4/lib/ruby/gems/2.2.0/gems/stash-query-0.1.3/lib/stash-query/query.rb:66:in `initialize’
from /home/user/.rbenv/versions/2.2.4/lib/ruby/gems/2.2.0/gems/stash-query-0.1.3/bin/stash-query:71:in `new’
from /home/user/.rbenv/versions/2.2.4/lib/ruby/gems/2.2.0/gems/stash-query-0.1.3/bin/stash-query:71:in `’
from /home/user/.rbenv/versions/2.2.4/bin/stash-query:23:in `load’
from /home/user/.rbenv/versions/2.2.4/bin/stash-query:23:in `’
user@gogosan:~$
I have verified that “searchstring” is in the data set between the start and end dates. my index is logstash-* …I’m not sure about the -t message… I’ve run the query with and without it – it doesn’t seem to make a difference..
Thank you for looking at this.. and thanks for writing stash-query..
LikeLike
So the -t flag is for tags, and it is completely optional. ‘message’ is a field, not a tag. You probably want -q ‘message:*searchstring’.
LikeLike
The tool seems broken if you use a long query with multiple ORs… it only returns the last OR matched.
LikeLike
Maybe try wrapping your query in parenthesis, like -q ‘(foo OR bar OR foobar)’. I think the code combines the timestamp range and tags with ‘AND’, so that could be why multiple OR’s returns weird results.
LikeLike
Hi, Robby.
Hope you’re still supporting stash-query, and are still tuned in here. When I run stash-query, I get the following error (sorry for the length; mebbe should have pasted):
root@test-log-logstash:/etc/logstash/conf.d# stash-query -s 2016-02-24T00:00:00.000Z -e 2016-02-24T16:30:00.000Z -q ‘beat.name:satest01.netatlantic.com’ -w /tmp/test_query.txt
/var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/adapters/faraday.rb:92:in `block in request’: request timed out (Faraday::Error::TimeoutError)
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/callbacks.rb:99:in `call’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/callbacks.rb:99:in `block in execute_callbacks’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/callbacks.rb:98:in `map’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/callbacks.rb:98:in `execute_callbacks’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/operations.rb:35:in `finish’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/easy_factory.rb:89:in `block in set_callback’
from /var/lib/gems/1.9.1/gems/ethon-0.6.3/lib/ethon/easy/response_callbacks.rb:65:in `call’
from /var/lib/gems/1.9.1/gems/ethon-0.6.3/lib/ethon/easy/response_callbacks.rb:65:in `block in complete’
from /var/lib/gems/1.9.1/gems/ethon-0.6.3/lib/ethon/easy/response_callbacks.rb:65:in `each’
from /var/lib/gems/1.9.1/gems/ethon-0.6.3/lib/ethon/easy/response_callbacks.rb:65:in `complete’
from /var/lib/gems/1.9.1/gems/ethon-0.6.3/lib/ethon/easy/operations.rb:25:in `perform’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/operations.rb:16:in `run’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/cacheable.rb:17:in `run’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/block_connection.rb:31:in `run’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/stubbable.rb:23:in `run’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/request/before.rb:26:in `run’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/adapters/faraday.rb:68:in `perform_request’
from /var/lib/gems/1.9.1/gems/typhoeus-0.6.6/lib/typhoeus/adapters/faraday.rb:58:in `call’
from /var/lib/gems/1.9.1/gems/faraday-0.8.8/lib/faraday/connection.rb:253:in `run_request’
from /var/lib/gems/1.9.1/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/transport/http/faraday.rb:21:in `block in perform_request’
from /var/lib/gems/1.9.1/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/transport/base.rb:201:in `call’
from /var/lib/gems/1.9.1/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/transport/base.rb:201:in `perform_request’
from /var/lib/gems/1.9.1/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/transport/http/faraday.rb:20:in `perform_request’
from /var/lib/gems/1.9.1/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/client.rb:125:in `perform_request’
from /var/lib/gems/1.9.1/gems/elasticsearch-api-1.0.15/lib/elasticsearch/api/namespace/common.rb:21:in `perform_request’
from /var/lib/gems/1.9.1/gems/elasticsearch-api-1.0.15/lib/elasticsearch/api/actions/indices/exists.rb:46:in `block in exists’
from /var/lib/gems/1.9.1/gems/elasticsearch-api-1.0.15/lib/elasticsearch/api/utils.rb:191:in `__rescue_from_not_found’
from /var/lib/gems/1.9.1/gems/elasticsearch-api-1.0.15/lib/elasticsearch/api/actions/indices/exists.rb:45:in `exists’
from /var/lib/gems/1.9.1/gems/stash-query-0.1.3/lib/stash-query/query.rb:203:in `block in run_query’
from /var/lib/gems/1.9.1/gems/stash-query-0.1.3/lib/stash-query/query.rb:202:in `each’
from /var/lib/gems/1.9.1/gems/stash-query-0.1.3/lib/stash-query/query.rb:202:in `run_query’
from /var/lib/gems/1.9.1/gems/stash-query-0.1.3/lib/stash-query/query.rb:66:in `initialize’
from /var/lib/gems/1.9.1/gems/stash-query-0.1.3/bin/stash-query:71:in `new’
from /var/lib/gems/1.9.1/gems/stash-query-0.1.3/bin/stash-query:71:in `’
from /usr/local/bin/stash-query:23:in `load’
from /usr/local/bin/stash-query:23:in `’
Fix?
LikeLike
Looks like the request is timing out. You could try splitting it up into two queries with shorter date ranges. I’d certainly be open to someone submitting a pull request that provided a way to specify a timeout value.
LikeLike
Hi, Robby.
Thanks for a great tool, and thanks for your reply.
This was actually my bad – I needed to use the “c” switch, as I have set up my ELK such that I have to reference the ip address of the ELK server, rather than “localhost”. So, sorry for that noise.
However, I have another question: if I run the gem, data that are returned are from five hours earlier than what I specified. So, it looks like the gem is returning data GMT, rather than GMT -5, which is the timezone in which I’m located. Can I apply some sort of timezone offset when I run the gem?
Thanks, again.
LikeLike
The timezone thing is tricky- as you’ve seen, the results will be whatever elasticsearch’s timezone is (GMT in your case). The kibana UI automatically converts your queries into the timezone that elasticsearch uses, but stash-query does not do that at this point. I don’t have a quick fix for you at the moment, but if someone wants to submit a pull request with automatic timezone conversion, I’m all for it.
LikeLike
Hello! I need search in index with prefix “daemon_log-” and in kibana I search query “WARN” .
I run:
stash-query -s 2016-05-06T00:00:01.000Z -e 2016-05-06T23:59:59.000Z -i ‘daemon_log-‘ -q ‘WARN’ -w /tmp/droid_query.txt
but -i not work, it search in all indexes.
LikeLike
I typed stash-query
/usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:57:in `initialize’: Improper date format entered (RuntimeError)
from /usr/local/share/gems/gems/stash-query-0.1.3/bin/stash-query:64:in `new’
from /usr/local/share/gems/gems/stash-query-0.1.3/bin/stash-query:64:in `’
from /usr/local/bin/stash-query:23:in `load’
from /usr/local/bin/stash-query:23:in `’
I typed :
stash-query -s 2016-06-07T08:00:01.000Z -e 2016-06-07T16:00:01.000Z -i ‘filebeat-‘ -q ‘message: ssh’ -w /tmp/test.txt
/usr/local/share/gems/gems/elasticsearch-transport-1.0.17/lib/elasticsearch/transport/transport/base.rb:201:in `__raise_transport_error’: [502] (Elasticsearch::Transport::Transport::Errors::BadGateway)
from /usr/local/share/gems/gems/elasticsearch-transport-1.0.17/lib/elasticsearch/transport/transport/base.rb:312:in `perform_request’
from /usr/local/share/gems/gems/elasticsearch-transport-1.0.17/lib/elasticsearch/transport/transport/http/faraday.rb:20:in `perform_request’
from /usr/local/share/gems/gems/elasticsearch-transport-1.0.17/lib/elasticsearch/transport/client.rb:128:in `perform_request’
from /usr/local/share/gems/gems/elasticsearch-api-1.0.17/lib/elasticsearch/api/namespace/common.rb:21:in `perform_request’
from /usr/local/share/gems/gems/elasticsearch-api-1.0.17/lib/elasticsearch/api/actions/indices/exists.rb:46:in `block in exists’
from /usr/local/share/gems/gems/elasticsearch-api-1.0.17/lib/elasticsearch/api/utils.rb:197:in `__rescue_from_not_found’
from /usr/local/share/gems/gems/elasticsearch-api-1.0.17/lib/elasticsearch/api/actions/indices/exists.rb:45:in `exists’
from /usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:204:in `block in run_query’
from /usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:203:in `each’
from /usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:203:in `run_query’
from /usr/local/share/gems/gems/stash-query-0.1.3/lib/stash-query/query.rb:68:in `initialize’
from /usr/local/share/gems/gems/stash-query-0.1.3/bin/stash-query:64:in `new’
from /usr/local/share/gems/gems/stash-query-0.1.3/bin/stash-query:64:in `’
from /usr/local/bin/stash-query:23:in `load’
from /usr/local/bin/stash-query:23:in `’
Fix ?
LikeLike
I am trying to use this tool but getting the error as below. Please help.
ERROR: Error installing stash-query-0.1.3.gem:
ERROR: Failed to build gem native extension.
/usr/bin/ruby extconf.rb
checking for curl-config… no
checking for main() in -lcurl… no
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers. Check the mkmf.log file for more details. You may
need configuration options.
Provided configuration options:
–with-opt-dir
–without-opt-dir
–with-opt-include
–without-opt-include=${opt-dir}/include
–with-opt-lib
–without-opt-lib=${opt-dir}/lib64
–with-make-prog
–without-make-prog
–srcdir=.
–curdir
–ruby=/usr/bin/ruby
–with-curl-dir
–without-curl-dir
–with-curl-include
–without-curl-include=${curl-dir}/include
–with-curl-lib
–without-curl-lib=${curl-dir}/
–with-curllib
–without-curllib
extconf.rb:18:in `’: Can’t find libcurl or curl/curl.h (RuntimeError)
Try passing –with-curl-dir or –with-curl-lib and –with-curl-include
options to extconf.
Gem files will remain installed in /usr/local/share/gems/gems/curb-0.9.3 for inspection.
Results logged to /usr/local/share/gems/gems/curb-0.9.3/ext/gem_make.out
LikeLike