ELK useful commands

Материал из Webko Wiki
Версия от 10:47, 21 февраля 2020; Sol (обсуждение | вклад) (Новая страница: «Show cluster health | pretty formated <syntaxhighlight lang="bash"> curl -XGET 'IP-OF-ELASTIC-SERVER:9200/_cluster/health?pretty' </syntaxhighlight> Show cluster…»)
(разн.) ← Предыдущая | Текущая версия (разн.) | Следующая → (разн.)
Перейти к навигации Перейти к поиску

Show cluster health | pretty formated 

curl -XGET 'IP-OF-ELASTIC-SERVER:9200/_cluster/health?pretty'

Show cluster settings | pretty formated 

curl -XGET 'IP-OF-ELASTIC-SERVER:9200/_cluster/settings?pretty'

Show all indexes 

curl -XGET 'IP-OF-ELASTIC-SERVER:9200/_cat/indices?v'

Show all indexes which start with logsta* 

curl -XGET 'IP-OF-ELASTIC-SERVER:9200/_cat/indices/logsta*?v&s=index'

Show all indexes/shards in state unassigned 

curl -XGET -H 'Content-Type: application/json' http://IP-OF-ELASTIC-SERVER:9200/_cat/shards | grep UNASSIGNED

Unlock all indexes manually 

curl -XPUT -H "Content-Type: application/json" http://IP-OF-ELASTIC-SERVER:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'

Get default logstash template from elasticsearch | pretty formated | stored in temp directory 

curl -XGET 'IP-OF-ELASTIC-SERVER:9200/_template/logstash?pretty' > /tmp/logstash-template.json

Upload modified logstash template to elasticsearch from directory where logstash-template.json exists | hint dont forget to remove the logstash parameter in the file 

curl -XPUT -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/_template/logstash' -d "@logstash-template.json"

Run logstash from commandline with all config files in debug mode 

/usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -r -f "/etc/logstash/conf.d/*" --log.level debug

Run logstash from commandline with specific config file in debug mode 

/usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -r -f "/etc/logstash/conf.d/00-test.config" --log.level debug

Change the number of replicas at one existing index 

curl -XPUT -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/.alert/_settings' -d '{ "index" : {"number_of_replicas" : 0}}'

Change the number of replicas at multiple existing indexes | sets number_of_replicas:0 to all cisco indexes from the year 2018 

curl -XPUT -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/logstash-cisco-2018.*.*/_settings' -d '{ "index" : {"number_of_replicas" : 0}}'

Delete all indexes from a year 

curl -XDELETE 'IP-OF-ELASTIC-SERVER:9200/logstash-cisco-2018.*.*'

Create an index manuall from cli via curl | name of index is aa_test_index | number_of_shards:1 and number_of_replicas:0 

curl -XPUT -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/aa_test_index?pretty' -d '{"settings" : {"index" : {"number_of_shards" : 1,"number_of_replicas" : 0 }}}'

Create an index manuall from cli by using logstash | name of index is aa_test_index_from_cli 

/usr/share/logstash/bin/logstash --path.settings "/etc/logstash/" -e 'input { stdin { } } output { elasticsearch { hosts => "IP-OF-ELASTIC-SERVER:9200" index => "aa_test_index_from_cli" } }'

Logstash config test 

/usr/share/logstash/bin/logstash --path.settings "/etc/logstash/" --config.test_and_exit -f /etc/logstash/conf.d/

Set existing index to read-only | ! needed for shrinking shards ! | this command sets all shards from december 2018 to read-only 

curl -XPUT -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/logstash-cisco-2018.12.*/_settings' -d '{"index.blocks.write": true}'

Shrink existing shards | shrinks the data from existing index "logstash-cisco-2018.12.24" to the new "smaller index" logstash-cisco-2018.12.24.shrinked | copy all index settings to new one | number_of_shards:1 and number_of_replicas:0 | using best_compression | disable read-only mode 

curl -POST -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/logstash-cisco-2018.12.24/_shrink/logstash-cisco-2018.12.24-shrinked?copy_settings=true' -d '{ "settings": { "index.number_of_replicas": 0, "index.number_of_shards": 1, "index.codec": "best_compression", "index.routing.allocation.require._name": null, "index.blocks.write": null }, "aliases": { "my_search_indices": {}  }}'

Increase the elasticsearch shard limit from 1000 to 5000 for each node 

curl -XPUT -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/_cluster/settings' -d '{ "persistent" : {"cluster.max_shards_per_node" : 5000}}'

Set the Cluster Metadata Administrator Email address 

curl -XPUT -H 'Content-Type: application/json' 'IP-OF-ELASTIC-SERVER:9200/_cluster/settings' -d '{ "persistent" : {"cluster.metadata.administrator" : "[email protected]"}}'
Источник — https://wiki.webko.net.ua/index.php?title=ELK_useful_commands&oldid=650