I had mistakenly put extra space in the URL. Corrected URL is http://localhost:9200/_search?q=status:FAILURE&pretty
Regards Sachin Divekar On Tue Dec 16 2014 at 8:01:37 PM Sachin Divekar <[email protected]> wrote: > Hi Rod, > > Try following URL > > http://localhost:9200/_search?q=status: FAILURE&pretty > > In output you will find something like following > > -------------------------------- > > "hits": { > "total": 7, > "max_score": 1, > "hits": [ > > --------------------------------- > > So in "hits" block value of "total" field is your count of failed logon > requests. > > For understanding search API and output of search query refer > http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/_the_search_api.html > > Regards > Sachin Divekar > > On Tue Dec 16 2014 at 7:01:02 PM Rod Clayton <[email protected]> > wrote: > >> Dear Sachin, >> >> Here is the GIST with the output you requested: >> >> ka3bhy <https://gist.github.com/ka3bhy> / *gist:082a5410d36264521ccb >> <https://gist.github.com/ka3bhy/082a5410d36264521ccb>* >> >> >> >> On Monday, December 15, 2014 10:13:02 PM UTC-5, Sachin Divekar wrote: >> >>> Hi, >>> >>> Share output of http://localhost:9200/foo/_search?pretty=true&q=*:* >>> substitute foo with name of your index. >>> Use gist to share the output. I suggest, read >>> http://www.elasticsearch.org/help/ >>> >>> Sachin Divekar >>> >>> On Tue, Dec 16, 2014, 1:38 AM Rod Clayton <[email protected]> wrote: >>> >> The logstash debug for the input logs look like: >>>> >>>> { >>>> "message" => "37208057\tSecurity\tMicrosoft-Windows-Security- >>>> Auditing\tSUCCESS AUDIT\tserver.myorg.org\t11/18/2014 12:13:32 >>>> AM\t4776\tNone\t\"The computer attempted to validate the credentials for an >>>> account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>> Logon Account: joe Source Workstation: joescomputer Error Code: 0x0 >>>> \"", >>>> "@version" => "1", >>>> "@timestamp" => "2014-11-18T05:13:32.000Z", >>>> "host" => "0:0:0:0:0:0:0:1:51947", >>>> "type" => "logons", >>>> "recno" => "37208057", >>>> "logtype" => "Security", >>>> "status" => "SUCCESS", >>>> "hostname" => "server.myorg.org", >>>> "eventCode" => "4776", >>>> "username" => "joe", >>>> "workstation" => "joescomputer", >>>> "retcd" => "0x0", >>>> "received_at" => "2014-12-15 19:25:49 UTC", >>>> "received_from" => "0:0:0:0:0:0:0:1:51947" >>>> } >>>> >>>> I have obscured the host names and accounts, but the fields are the >>>> same. >>>> >>>> I am hoping for output like: >>>> >>>> username workstation name error code Count >>>> root maryscomputer 6a 100 >>>> joe lab1 6a 5 >>>> joe lab2 6a 2 >>>> mary maryscomputer 6a 1 >>>> >>>> This assumes that the detail records were all dated the same day. >>>> I am expecting that this is going to come back in a JSON format that I >>>> will have to format to look like above. >>>> >>>> Is this what you wanted? >>>> >>>> >>>> >>>> On Monday, December 15, 2014 1:03:07 PM UTC-5, Sachin Divekar wrote: >>>> >>>>> Hi, >>>>> >>>>> Can you share some sample data and desired output? >>>>> >>>>> Sachin Divekar >>>>> >>>>> On Mon, Dec 15, 2014, 10:00 PM Rod Clayton <[email protected]> wrote: >>>>> >>>> I have loaded login data into Elasticsearch using Logstash. >>>>>> >>>>>> I have fields: username retcd workstation. >>>>>> >>>>>> I want to query and get a count of failed logon requests by username >>>>>> and workstation on a given day. >>>>>> >>>>>> The indexes are named like logstash-2014.11.18. >>>>>> >>>>>> What would a query for this look like on the day listed above? >>>>>> >>>>>> Thanks, >>>>>> Rod >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "elasticsearch" group. >>>>>> >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to [email protected]. >>>>> >>>>> >>>>>> To view this discussion on the web visit https://groups.google.com/d/ >>>>>> msgid/elasticsearch/dd8ca3ed-c9e6-478a-ad77-9418e5822296%40goo >>>>>> glegroups.com >>>>>> <https://groups.google.com/d/msgid/elasticsearch/dd8ca3ed-c9e6-478a-ad77-9418e5822296%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "elasticsearch" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit https://groups.google.com/d/ms >>>> gid/elasticsearch/f6d94667-d81d-40de-a927-de088e2bee69%40goo >>>> glegroups.com >>>> <https://groups.google.com/d/msgid/elasticsearch/f6d94667-d81d-40de-a927-de088e2bee69%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "elasticsearch" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ >> msgid/elasticsearch/8267fbc1-63cd-400d-a969-5f6191203991% >> 40googlegroups.com >> <https://groups.google.com/d/msgid/elasticsearch/8267fbc1-63cd-400d-a969-5f6191203991%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CA%2BA8H7kDZ5zX4m4%3D%2BwKGFaKkkG9tAhKBDBgcqwYm8%2B%2Bmx-k7Mw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
