Count occurences with Elasticsearch REST API

Facets allow you to specify a field to get N most frequent terms. This is great for debugging the ELK stack, but also Elasticsearch in general. This example is ELK combined with RSYSLOG, but it should not make any difference - just change the field value in the JSON request.

Here is a simple request using facets:

curl -XGET "http://localhost:9200/logstash-2015.05.26/_search?pretty" -d '{
    "query" : {
        "match_all" : {  }
    },
    "facets" : {
        "tag" : {
            "terms" : {
                "field" : "syslog_hostname",
                "all_terms" : true
            }
        }
    }
}'

Response - Hostnames ("field" : "syslog_hostname",):

...
"facets" : {
  "tag" : {
    "_type" : "terms",
    "missing" : 3306,
    "total" : 14292755,
    "other" : 711772,
    "terms" : [ {
      "term" : "hostname1",
      "count" : 4082712
    }, {
      "term" : "hostname2",
      "count" : 4068628
    }, {
      "term" : "hostname3",
      "count" : 4049217
    }, {
      "term" : "hostname4",
      "count" : 766383
    }, {
      "term" : "hostname5",
      "count" : 137678
    }, {
      "term" : "hostname6",
      "count" : 137263
    }, {
      "term" : "hostname7",
      "count" : 134623
    }, {
      "term" : "hostname8",
      "count" : 76114
    }, {
      "term" : "hostname9",
      "count" : 65815
    }, {
      "term" : "hostname10",
      "count" : 62550
    } ]
  }
}

}

Response - Program ("field" : "syslog_program",):

...
  "facets" : {
    "tag" : {
      "_type" : "terms",
      "missing" : 3306,
      "total" : 11120026,
      "other" : 467298,
      "terms" : [ {
        "term" : "info",
        "count" : 4138010
      }, {
        "term" : "logger",
        "count" : 4127874
      }, {
        "term" : "postfix",
        "count" : 855253
      }, {
        "term" : "pipe",
        "count" : 475922
      }, {
        "term" : "sshd",
        "count" : 318330
      }, {
        "term" : "qmgr",
        "count" : 297262
      }, {
        "term" : "vdk_prod",
        "count" : 270648
      }, {
        "term" : "zimbramon",
        "count" : 67746
      }, {
        "term" : "puppet",
        "count" : 52920
      }, {
        "term" : "amavis",
        "count" : 48763
      } ]
    }
  }
}

Read more about Elasticsearch facets here: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-facets-terms-facet.html

comments powered by Disqus