Hi Rod, Try following URL
http://localhost:9200/_search?q=status: FAILURE&pretty In output you will find something like following -------------------------------- "hits": { "total": 7, "max_score": 1, "hits": [ --------------------------------- So in "hits" block value of "total" field is your count of failed logon requests. For understanding search API and output of search query refer http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/_the_search_api.html Regards Sachin Divekar On Tue Dec 16 2014 at 7:01:02 PM Rod Clayton <[email protected]> wrote: > Dear Sachin, > > Here is the GIST with the output you requested: > > ka3bhy <https://gist.github.com/ka3bhy> / *gist:082a5410d36264521ccb > <https://gist.github.com/ka3bhy/082a5410d36264521ccb>* > > > > On Monday, December 15, 2014 10:13:02 PM UTC-5, Sachin Divekar wrote: > >> Hi, >> >> Share output of http://localhost:9200/foo/_search?pretty=true&q=*:* >> substitute foo with name of your index. >> Use gist to share the output. I suggest, read >> http://www.elasticsearch.org/help/ >> >> Sachin Divekar >> >> On Tue, Dec 16, 2014, 1:38 AM Rod Clayton <[email protected]> wrote: >> > The logstash debug for the input logs look like: >>> >>> { >>> "message" => >>> "37208057\tSecurity\tMicrosoft-Windows-Security-Auditing\tSUCCESS >>> AUDIT\tserver.myorg.org\t11/18/2014 12:13:32 AM\t4776\tNone\t\"The >>> computer attempted to validate the credentials for an account. >>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon >>> Account: joe Source Workstation: joescomputer Error Code: 0x0 \"", >>> "@version" => "1", >>> "@timestamp" => "2014-11-18T05:13:32.000Z", >>> "host" => "0:0:0:0:0:0:0:1:51947", >>> "type" => "logons", >>> "recno" => "37208057", >>> "logtype" => "Security", >>> "status" => "SUCCESS", >>> "hostname" => "server.myorg.org", >>> "eventCode" => "4776", >>> "username" => "joe", >>> "workstation" => "joescomputer", >>> "retcd" => "0x0", >>> "received_at" => "2014-12-15 19:25:49 UTC", >>> "received_from" => "0:0:0:0:0:0:0:1:51947" >>> } >>> >>> I have obscured the host names and accounts, but the fields are the same. >>> >>> I am hoping for output like: >>> >>> username workstation name error code Count >>> root maryscomputer 6a 100 >>> joe lab1 6a 5 >>> joe lab2 6a 2 >>> mary maryscomputer 6a 1 >>> >>> This assumes that the detail records were all dated the same day. >>> I am expecting that this is going to come back in a JSON format that I >>> will have to format to look like above. >>> >>> Is this what you wanted? >>> >>> >>> >>> On Monday, December 15, 2014 1:03:07 PM UTC-5, Sachin Divekar wrote: >>> >>>> Hi, >>>> >>>> Can you share some sample data and desired output? >>>> >>>> Sachin Divekar >>>> >>>> On Mon, Dec 15, 2014, 10:00 PM Rod Clayton <[email protected]> wrote: >>>> >>> I have loaded login data into Elasticsearch using Logstash. >>>>> >>>>> I have fields: username retcd workstation. >>>>> >>>>> I want to query and get a count of failed logon requests by username >>>>> and workstation on a given day. >>>>> >>>>> The indexes are named like logstash-2014.11.18. >>>>> >>>>> What would a query for this look like on the day listed above? >>>>> >>>>> Thanks, >>>>> Rod >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "elasticsearch" group. >>>>> >>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>> >>>> >>>>> To view this discussion on the web visit https://groups.google.com/d/ >>>>> msgid/elasticsearch/dd8ca3ed-c9e6-478a-ad77-9418e5822296%40goo >>>>> glegroups.com >>>>> <https://groups.google.com/d/msgid/elasticsearch/dd8ca3ed-c9e6-478a-ad77-9418e5822296%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "elasticsearch" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit https://groups.google.com/d/ >>> msgid/elasticsearch/f6d94667-d81d-40de-a927-de088e2bee69% >>> 40googlegroups.com >>> <https://groups.google.com/d/msgid/elasticsearch/f6d94667-d81d-40de-a927-de088e2bee69%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/8267fbc1-63cd-400d-a969-5f6191203991%40googlegroups.com > <https://groups.google.com/d/msgid/elasticsearch/8267fbc1-63cd-400d-a969-5f6191203991%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CA%2BA8H7nK5%3DpwTbkcH5ND8-30YxXis57uuDuHdKDwogGzmrDUhQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
