Convert Inspect window Kibana to CSV

cudeso · Dec 31, 2014 · 6d69d67 · 6d69d67
1 parent 6e24d4b
commit 6d69d67
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 0 deletions.
diff --git a/elk/inspect-to-csv/README.md b/elk/inspect-to-csv/README.md
@@ -0,0 +1,4 @@
+# Convert the 'Inspect' window in Kibana to CSV output
+
+Python script that reads the output from the Inspect value (stored in request_file variable), queries the Elasticsearch server and converts the output to CSV.
+Does not work on Histogram. Extracts the "facet" data.
diff --git a/elk/inspect-to-csv/inspect-to-csv.py b/elk/inspect-to-csv/inspect-to-csv.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python 
+#
+# Process the 'Inspect' command from Kibana and convert to CSV
+#
+# Save the 'inspect' window output in the variable 'request_file'
+# It will extract the URL and request and return CSV output
+# Does not work on histogram ...
+#
+#  Koen Van Impe on 2014-12-31
+#   koen dot vanimpe at cudeso dot be
+#   license New BSD : http://www.vanimpe.eu/license
+#
+#
+
+import requests
+import json
+
+request_file = "request.inspect"
+
+# Read the request
+f = open( request_file, "r")
+request = f.read()
+f.close()
+
+# Split URL and request
+curl_request = request.split("' -d '")
+p = curl_request[0].find("-XGET ")
+url = curl_request[0][p+7:]
+request = curl_request[1][0:-1]
+
+# Get the response from the Elasticsearch server
+response = requests.post(url, data=request)
+response_json = json.loads( response.text )
+
+# Print out all the master elements
+#for el in response_json:
+#   print el
+
+if "facets" in response_json:
+    if "terms" in response_json["facets"]:
+        terms = response_json["facets"]["terms"]["terms"]
+        for t in terms:
+            print "%s,%s" % (t["count"], t["term"])
+
+if "hits" in response_json:
+    print "Hits"
+    if "hits" in response_json["hits"]:
+        for h in response_json["hits"]["hits"]:
+            print h
+
+# Print the full response
+#print response.text
diff --git a/elk/inspect-to-csv/request.inspect b/elk/inspect-to-csv/request.inspect
@@ -0,0 +1,66 @@
+curl -XGET 'http://127.0.0.1:9200/_all/_search?pretty' -d '{
+  "facets": {
+    "terms": {
+      "terms": {
+        "field": "type",
+        "size": 10,
+        "order": "count",
+        "exclude": []
+      },
+      "facet_filter": {
+        "fquery": {
+          "query": {
+            "filtered": {
+              "query": {
+                "bool": {
+                  "should": [
+                    {
+                      "query_string": {
+                        "query": "basetype:\"honeypot\""
+                      }
+                    },
+                    {
+                      "query_string": {
+                        "query": "type:\"glastopf\""
+                      }
+                    },
+                    {
+                      "query_string": {
+                        "query": "type:\"conpot\""
+                      }
+                    },
+                    {
+                      "query_string": {
+                        "query": "type:\"dionaea\""
+                      }
+                    },
+                    {
+                      "query_string": {
+                        "query": "type:\"kippo\""
+                      }
+                    }
+                  ]
+                }
+              },
+              "filter": {
+                "bool": {
+                  "must": [
+                    {
+                      "range": {
+                        "@timestamp": {
+                          "from": 1417440142530,
+                          "to": 1420032142531
+                        }
+                      }
+                    }
+                  ]
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "size": 0
+}'