Humble implementation of a Unix like "tail" command for Elasticsearch using Python.
Tested with Logstash indexed content.
Install
$ git clone https://github.com/juan-domenech/elasticsearch-python.git
$ cd elasticsearch-python/
$ python elasticsearch-tail.py
Basic usage
The only mandatory parameter is --endpointExample:
$ python elasticsearch-tail.py --endpoint http://elk.example.com
By default the last 10 lines of log are displayed. You can change this behaviour with --docs or -n switch.
Example: To display the last 50 lines.
$ python elasticsearch-tail.py --endpoint http://elk.example.com -n 50
To have continuous output use -f or --nonstop
Example:
$ python elasticsearch-tail.py --endpoint http://elk.example.com -f
By default ES type = apache is used. You can select other types with --type
Examples:
$ python elasticsearch-tail.py --endpoint http://elk.example.com --type java
$ python elasticsearch-tail.py --endpoint http://elk.example.com --type apache
Advanced
By default the more recent Logstash Index is used. Optionally you can specify the desired index name using --index
Example:
$ python elasticsearch-tail.py --endpoint http://elk.example.com --index logstash-2016.08.08
When using --type java there are two other selectors available: --javalevel and --javaclass
Examples:
$ python elasticsearch-tail.py --endpoint http://elk.example.com --type java --javalevel ERROR
$ python elasticsearch-tail.py --endpoint http://elk.example.com --type java --javaclas error.handler.java.class
When using --type apache there are two other selectors available: --httpresponse and --httpmethod
Examples:
$ python elasticsearch-tail.py --endpoint http://elk.example.com --type apache --httpresponse 404
$ python elasticsearch-tail.py --endpoint http://elk.example.com --type apache --httpmethod POST
To display the native Elasticsearch timestamp of each event use --showheaders (Convenient when adding a |grep on the output to do additional filtering):
Example:
$ python elasticsearch-tail.py --endpoint http://elk.example.com --showheaders
To display events belonging to a particular host and ignore the rest use --hostname
Example:
$ python elasticsearch-tail.py --endpoint http://elk.example.com --hostname server1.example.com
Connection modes
The default protocol is HTTP (Port 80) but any other port can be specified under --endpoint
Example for HTTPS:
$ python elasticsearch-tail.py -f --endpoint https://elk.example.com
$ python elasticsearch-tail.py -f --endpoint https://elk.example.com:443
Example for Elasticsearch native port:
$ python elasticsearch-tail.py -f --endpoint http://elk.example.com:9200
Known issues
You need elasticsearch Python module installed
If you don't have it, run 'sudo pip install elasticsearch' to install it.
TLS error: "elasticsearch.exceptions.ConnectionError: ConnectionError(('Connection failed.', CannotSendRequest())) caused by: ConnectionError(('Connection failed.', CannotSendRequest()))"
Update urllib3 running 'sudo pip install --upgrade urllib3' or use a non HTTPS Endpoint URL.
Error: "check_index: No index found! Exiting"
The current script only cares for indices with the "logstash-" prefix. If you use any other prefix to index your logs it will fail.
If you think this shouldn't be this way please let me know in the comments.
Done for fun. Feel free to comment on bugs or additional desired features.
Thank you!