Count occurences with Elasticsearch REST API
Facets allow you to specify a field to get N most frequent terms. This is great for debugging the ELK stack, but also Elasticsearch in general. This example is ELK combined with RSYSLOG, but it should not make any difference - just change the field value in the JSON request.
Here is a simple request using facets:
curl -XGET "http://localhost:9200/logstash-2015.05.26/_search?pretty" -d '{
"query" : {
"match_all" : { }
},
"facets" : {
"tag" : {
"terms" : {
"field" : "syslog_hostname",
"all_terms" : true
}
}
}
}'
Response - Hostnames ("field" : "syslog_hostname",):
...
"facets" : {
"tag" : {
"_type" : "terms",
"missing" : 3306,
"total" : 14292755,
"other" : 711772,
"terms" : [ {
"term" : "hostname1",
"count" : 4082712
}, {
"term" : "hostname2",
"count" : 4068628
}, {
"term" : "hostname3",
"count" : 4049217
}, {
"term" : "hostname4",
"count" : 766383
}, {
"term" : "hostname5",
"count" : 137678
}, {
"term" : "hostname6",
"count" : 137263
}, {
"term" : "hostname7",
"count" : 134623
}, {
"term" : "hostname8",
"count" : 76114
}, {
"term" : "hostname9",
"count" : 65815
}, {
"term" : "hostname10",
"count" : 62550
} ]
}
}
}
Response - Program ("field" : "syslog_program",):
...
"facets" : {
"tag" : {
"_type" : "terms",
"missing" : 3306,
"total" : 11120026,
"other" : 467298,
"terms" : [ {
"term" : "info",
"count" : 4138010
}, {
"term" : "logger",
"count" : 4127874
}, {
"term" : "postfix",
"count" : 855253
}, {
"term" : "pipe",
"count" : 475922
}, {
"term" : "sshd",
"count" : 318330
}, {
"term" : "qmgr",
"count" : 297262
}, {
"term" : "vdk_prod",
"count" : 270648
}, {
"term" : "zimbramon",
"count" : 67746
}, {
"term" : "puppet",
"count" : 52920
}, {
"term" : "amavis",
"count" : 48763
} ]
}
}
}
Read more about Elasticsearch facets here: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-facets-terms-facet.html