{"id":123,"date":"2023-03-19T08:44:23","date_gmt":"2023-03-19T07:44:23","guid":{"rendered":"http:\/\/10.4.44.99:10084\/?p=123"},"modified":"2023-04-27T16:13:50","modified_gmt":"2023-04-27T15:13:50","slug":"elk-useful-commands","status":"publish","type":"post","link":"https:\/\/www.winni.at\/wordpress\/?p=123","title":{"rendered":"ELK useful commands"},"content":{"rendered":"\n<p><strong>Show cluster health | pretty formated<\/strong><\/p>\n\n\n\n<p>curl -XGET &#8216;IP-OF-ELASTIC-SERVER:9200\/_cluster\/health?pretty&#8217;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Show cluster settings | pretty formated<\/strong><\/p>\n\n\n\n<p>curl -XGET &#8216;IP-OF-ELASTIC-SERVER:9200\/_cluster\/settings?pretty&#8217;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Show all indexes<\/strong><\/p>\n\n\n\n<p><samp>curl -XGET &#8216;IP-OF-ELASTIC-SERVER:9200\/_cat\/indi<\/samp><\/p>\n\n\n\n<p><strong>Show all indexes which start with logsta*<\/strong><\/p>\n\n\n\n<p><samp>curl -XGET &#8216;IP-OF-ELASTIC-SERVER:9200\/_cat\/indices\/logsta*?v&amp;s=index&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Show all indexes\/shards in state unassigned<\/strong><\/p>\n\n\n\n<p><samp>curl -XGET -H &#8216;Content-Type: application\/json&#8217;\u00a0http:\/\/IP-OF-ELASTIC-SERVER:9200\/_cat\/shards | grep UNASSIGNED<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Unlock all indexes manually<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8220;Content-Type: application\/json&#8221; http:\/\/IP-OF-ELASTIC-SERVER:9200\/_all\/_settings -d &#8216;{&#8220;index.blocks.read_only_allow_delete&#8221;: null}&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Get default logstash template from elasticsearch | pretty formated | stored in temp directory<\/strong><\/p>\n\n\n\n<p><samp>curl -XGET &#8216;IP-OF-ELASTIC-SERVER:9200\/_template\/logstash?pretty&#8217; > \/tmp\/logstash-template.json<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Upload modified logstash template to elasticsearch from directory where logstash-template.json exists | hint dont forget to remove the logstash parameter in the file<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/_template\/logstash&#8217; -d &#8220;@logstash-template.json&#8221;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Run logstash from commandline with all config files in debug mode<\/strong><\/p>\n\n\n\n<p><samp>\/usr\/share\/logstash\/bin\/logstash &#8211;path.settings \/etc\/logstash\/ -r -f &#8220;\/etc\/logstash\/conf.d\/*&#8221; &#8211;log.level debug<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Run logstash from commandline with specific config file in debug mode<\/strong><\/p>\n\n\n\n<p><samp>\/usr\/share\/logstash\/bin\/logstash &#8211;path.settings \/etc\/logstash\/ -r -f &#8220;\/etc\/logstash\/conf.d\/00-test.config&#8221; &#8211;log.level debug<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Change the number of replicas at one existing index<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/.alert\/_settings&#8217; -d &#8216;{ &#8220;index&#8221; : {&#8220;number_of_replicas&#8221; : 0}}&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Change the number of replicas at multiple existing indexes | sets number_of_replicas:0 to all cisco indexes from the year 2018<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/logstash-cisco-2018.*.*\/_settings&#8217; -d &#8216;{ &#8220;index&#8221; : {&#8220;number_of_replicas&#8221; : 0}}&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>\u00a0Delete all indexes from a year<\/strong><\/p>\n\n\n\n<p><samp>curl -XDELETE &#8216;IP-OF-ELASTIC-SERVER:9200\/logstash-cisco-2018.*.*&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Create an index manuall from cli via curl | name of index is aa_test_index | number_of_shards:1 and number_of_replicas:0<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/aa_test_index?pretty&#8217; -d &#8216;{&#8220;settings&#8221; : {&#8220;index&#8221; : {&#8220;number_of_shards&#8221; : 1,&#8221;number_of_replicas&#8221; : 0 }}}&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Create an index manuall from cli by using logstash | name of index is aa_test_index_from_cli<\/strong><\/p>\n\n\n\n<p><samp>\/usr\/share\/logstash\/bin\/logstash &#8211;path.settings &#8220;\/etc\/logstash\/&#8221; -e &#8216;input { stdin { } } output { elasticsearch { hosts => &#8220;IP-OF-ELASTIC-SERVER:9200&#8221; index => &#8220;aa_test_index_from_cli&#8221; } }&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Logstash config test<\/strong><\/p>\n\n\n\n<p><samp>\/usr\/share\/logstash\/bin\/logstash &#8211;path.settings &#8220;\/etc\/logstash\/&#8221; &#8211;config.test_and_exit -f \/etc\/logstash\/conf.d\/<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Set existing index to read-only | ! needed for shrinking shards ! | this command sets all shards from december 2018 to read-only<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/logstash-cisco-2018.12.*\/_settings&#8217; -d &#8216;{&#8220;index.blocks.write&#8221;: true}&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Shrink existing shards | shrinks the data from existing index &#8220;logstash-cisco-2018.12.24&#8221; to the new &#8220;smaller index&#8221; logstash-cisco-2018.12.24.shrinked | copy all index settings to new one | number_of_shards:1 and number_of_replicas:0 | using best_compression | disable read-only mode<\/strong><\/p>\n\n\n\n<p><samp>curl -POST -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/logstash-cisco-2018.12.24\/_shrink\/logstash-cisco-2018.12.24-shrinked?copy_settings=true&#8217; -d &#8216;{ &#8220;settings&#8221;: { &#8220;index.number_of_replicas&#8221;: 0, &#8220;index.number_of_shards&#8221;: 1, &#8220;index.codec&#8221;: &#8220;best_compression&#8221;, &#8220;index.routing.allocation.require._name&#8221;: null, &#8220;index.blocks.write&#8221;: null }, &#8220;aliases&#8221;: { &#8220;my_search_indices&#8221;: {}\u00a0 }}&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Increase the elasticsearch shard limit from 1000 to 5000 for each node<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/_cluster\/settings&#8217; -d &#8216;{ &#8220;persistent&#8221; : {&#8220;cluster.max_shards_per_node&#8221; : 5000}}&#8217;<\/samp><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Set the Cluster Metadata Administrator Email address<\/strong><\/p>\n\n\n\n<p><samp>curl -XPUT -H &#8216;Content-Type: application\/json&#8217; &#8216;IP-OF-ELASTIC-SERVER:9200\/_cluster\/settings&#8217; -d &#8216;{ &#8220;persistent&#8221; : {&#8220;cluster.metadata.administrator&#8221; : &#8220;<a href=\"mailto:ikt-is@vor.at\">admin@yourdomain.c<\/a>om&#8221;}}&#8217;<\/samp><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Show cluster health | pretty formated curl -XGET &#8216;IP-OF-ELASTIC-SERVER:9200\/_cluster\/health?pretty&#8217; Show cluster settings | pretty formated curl -XGET &#8216;IP-OF-ELASTIC-SERVER:9200\/_cluster\/settings?pretty&#8217; Show all<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[3],"tags":[48,49,59,60,61,62,107,108,109,116,124,126,127,135],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-kb","tag-cluster-health","tag-config-test","tag-elk","tag-elk-cluster","tag-elk-cluster-health","tag-elk-index-unlock","tag-increase-elasticsearch-number-of-shards","tag-index","tag-index-unlock","tag-kibana","tag-logstash","tag-logstash-config-test","tag-logstash-template","tag-maximum-shards"],"_links":{"self":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=123"}],"version-history":[{"count":2,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":238,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions\/238"}],"wp:attachment":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}