cinhtau/filebeat.md

## filebeat.md

      
    Raw
  

              filebeat.md
            
          
    Filebeat Checks

./filebeat test config

./filebeat test output

Start filebeat

With reload and debug
./filebeat -e -c filebeat.yml -d "publish"

Start with less noise
./filebeat -c filebeat.yml


## part1_search.txt
GET payments-*/_search
{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        }
      ],
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-4h"
          }
        }
      }
    }
  },
  "aggs": {
    "states": {
      "terms": {
        "field": "address.state"
      },
      "aggs": {
        "payments": {
          "sum": {
            "field": "amount"
          }
        },
        "payments_bucket_sort": {
          "bucket_sort": {
            "sort": [
              {
                "payments": {
                  "order": "desc"
                }
              }
            ],
            "size": 5
          }
        }
      }
    }
  }
}

## part2_search.txt
GET payments-*/_search
{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        }
      ],
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-4h"
          }
        }
      }
    }
  },
  "aggs": {
    "states": {
      "terms": {
        "field": "address.state",
        "size": 5
      },
      "aggs": {
        "cities": {
          "terms": {
            "field": "address.city"
          },
          "aggs": {
            "payments": {
              "sum": {
                "field": "amount"
              }
            },
            "payments_bucket_sort": {
              "bucket_sort": {
                "sort": [
                  {
                    "payments": {
                      "order": "desc"
                    }
                  }
                ],
                "size": 3
              }
            }
          }
        }
      }
    }
  }
}

## template-statistics.txt
PUT _template/statistics
{
  "index_patterns": [
    "statistics-*"
  ],
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "doc": {
      "dynamic": true,
      "properties": {
        "logtime": {
          "type": "date",
          "format": "epoch_millis"
        },
        "counter": {
          "type": "integer"
        },
        "class": {
          "type": "keyword"
        }
      }
    }
  }
}
	GET payments-*/_search
	{
	"size": 0,
	"query": {
	"bool": {
	"must": [
	{
	"match_all": {}
	}
	],
	"filter": {
	"range": {
	"@timestamp": {
	"gte": "now-4h"
	}
	}
	}
	}
	},
	"aggs": {
	"states": {
	"terms": {
	"field": "address.state"
	},
	"aggs": {
	"payments": {
	"sum": {
	"field": "amount"
	}
	},
	"payments_bucket_sort": {
	"bucket_sort": {
	"sort": [
	{
	"payments": {
	"order": "desc"
	}
	}
	],
	"size": 5
	}
	}
	}
	}
	}
	}
	PUT _template/statistics
	{
	"index_patterns": [
	"statistics-*"
	],
	"settings": {
	"number_of_shards": 1
	},
	"mappings": {
	"doc": {
	"dynamic": true,
	"properties": {
	"logtime": {
	"type": "date",
	"format": "epoch_millis"
	},
	"counter": {
	"type": "integer"
	},
	"class": {
	"type": "keyword"
	}
	}
	}
	}
	}