Skip to content
Commandline interface for logstash
Ruby Shell
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
bin
lib
spec
.gitignore
.rvmrc
Gemfile
README.md
Rakefile
logstashcli.gemspec

README.md

** Work in progress **

Description

A cli tool to query an elasticsearch host for logstash information. Because let's face it, we're CLI junkies :)

Mucho inspired by a gist of the eminent @lusis - https://gist.github.com/1388077

Installation

As a gem

$ gem install logstash-cli

From github

Tested with rvm and ruby-1.8.7

$ git clone git://github.com/jedi4ever/logstash-cli.git
$ cd logstash-cli
$ gem install bundler
$ bundle install

Usage

Using the Gem

# If you no rvm
$ bundle exec bin/logstash-cli

# If you have rvm , there is an alias in .rvmrc
$ logstash-cli

Using the Github version - through bundler

$ bundle exec bin/logstash-cli 

Commandline Options

Grep

Usage:
  logstash-cli grep PATTERN

Options:
  [--index-prefix=INDEX_PREFIX]  # Logstash index prefix
                                 # Default: logstash-
  [--fields=FIELDS]              # Logstash Fields to show
                                 # Default: message,program
  [--meta=META]                  # Meta Logstash fields to show
                                 # Default: type,message
  [--to=TO]                      # End date
                                 # Default: Today in YYYY-MM-DD HH:MM:SS form (the time is optional)
  [--delim=DELIM]                # plain or csv delimiter
                                 # Default: |
  [--format=FORMAT]              # Format to use for exporting
                                 # Default: csv
  [--from=FROM]                  # Begin date
                                 # Default: Today in YYYY-MM-DD HH:MM:SS form (the time is optional)
  [--size=SIZE]                  # Number of results to return
                                 # Default: 500
  [--esurl=ESURL]                # URL to connect to elasticsearch
                                 # Default: http://localhost:9200
  [--last=LAST]                  # Specify period since now (Examples: 10min, 3hrs, 4days, 1wk, 1yr)

Search logstash for a pattern

Tail

Usage:
  logstash-cli tail

Options:
      [--host=HOST]                    # Host to connect to AMQP
                                       # Default: localhost
  --amqpurl, [--url=URL]               # Alternate way to specify settings via an AMQP Url f.i. amqp://logstash:foopass@localhost:5672. 
 This takes precendence over other settings. Note that username and password need to be percentage encoded(URL encoded) in case of special characters
      [--auto-delete]                  # Autodelete Exchange or not
      [--vhost=VHOST]                  # VHost to connect to AMQP
                                       # Default: /
      [--persistent]                   # Persistent Exchange or not
      [--ssl]                          # Enable SSL to connect to AMQP
      [--user=USER]                    # User to connect to AMQP
                                       # Default: logstash
      [--meta=META]                    # Meta Logstash fields to show
                                       # Default: timestamp,type,message
      [--format=FORMAT]                # Format to use for exporting (plain,csv,json)
                                       # Default: csv
      [--key=KEY]                      # Routing key
                                       # Default: #
      [--port=PORT]                    # Port to connect to AMQP
                                       # Default: 5672
      [--exchange=EXCHANGE]            # Exchange name
                                       # Default: rawlogs
      [--password=PASSWORD]            # Password to connect to AMQP
                                       # Default: foo
      [--delim=DELIM]                  # plain or csv delimiter
                                       # Default: |
      [--exchange-type=EXCHANGE_TYPE]  # Exchange Type
                                       # Default: direct
      [--durable]                      # Durable Exchange or not

Stream a live feed via AMQP

Count

Usage:
  logstash-cli count PATTERN --countfield=COUNTFIELD

Options:
  [--meta=META]                  # Meta Logstash fields to show
  [--last=LAST]                  # Specify period since now f.i. 1d
  [--from=FROM]                  # Begin date
                                 # Default: Today in YYYY-MM-DD form
  [--delim=DELIM]                # plain or csv delimiter
                                 # Default: |
  --countfield=COUNTFIELD        # Logstash field to count
  [--countsize=COUNTSIZE]        # Number of most frequent values to return
                                 # Default: 50
  [--format=FORMAT]              # Format to use for exporting (plain,csv,json)
                                 # Default: csv
  [--to=TO]                      # End date
                                 # Default: Today in YYYY-MM-DD form
  [--fields=FIELDS]              # Logstash fields to show
  [--size=SIZE]                  # Number of results per index to show
                                 # Default: 10
  [--esurl=ESURL]                # URL to connect to elasticsearch
                                 # Default: http://localhost:9200
  [--index-prefix=INDEX_PREFIX]  # Logstash index prefix
                                 # Default: logstash-

Return most frequent values of a field within a pattern and optionally show associated fields

Examples

$ logstash-cli grep --esurl="http://logger-1.jedi.be:9200" '@message:jedi4ever AND program:sshd' --last 5d --format csv --delim ':'

$ logstash-cli tail --amqpurl="amqp://logger-1.jedi.be:5672" --key="program.sshd"

$ logstash-cli count --esurl="http://logger-1.jedi.be:9200" '@message:jedi4ever' --countfield=program

TODO

  • find a way to query existing instances
  • find a way to get the results by streaming instead of loading all in memory (maybe pagination will help here)
  • produce ascii histograms
  • or sparklines
Something went wrong with that request. Please try again.