Elasticsearch Cheat Sheet (pfELK)
Version vom 13. September 2025, 17:52 Uhr von Thomas.will (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „== Indices anzeigen == * curl -u elastic:123Start$ -k "https://localhost:9200/_cat/indices?v" == Alle Data Streams anzeigen == * curl -u elastic:123Start$ -k…“)
Indices anzeigen
- curl -u elastic:123Start$ -k "https://localhost:9200/_cat/indices?v"
Alle Data Streams anzeigen
- curl -u elastic:123Start$ -k "https://localhost:9200/_cat/data_stream?v"
Letzte Dokumente aus Suricata
- curl -u elastic:123Start$ -k \
"https://localhost:9200/.ds-logs-pfelk-suricata-*/_search?pretty" \ -H 'Content-Type: application/json' -d '{
"size": 5,
"sort": [ { "@timestamp": "desc" } ],
"_source": ["@timestamp","suricata.eve.alert.signature","source.ip","destination.ip","event.type"]
}'
Letzte Dokumente (egal welcher Namespace)
- curl -u elastic:123Start$ -k \
"https://localhost:9200/.ds-logs-pfelk-*/_search?pretty" \ -H 'Content-Type: application/json' -d '{
"size": 5,
"sort": [ { "@timestamp": "desc" } ],
"_source": ["@timestamp","log.syslog.appname","data_stream.namespace","message"]
}'
Suche nach Keyword (z. B. suricata)
- curl -u elastic:123Start$ -k "https://localhost:9200/_search?q=suricata&pretty"
Index löschen (Beispiel suricata von heute)
- curl -u elastic:123Start$ -k -XDELETE "https://localhost:9200/.ds-logs-pfelk-suricata-2025.09.13-000001"
Index-Template (Übersicht)
- curl -u elastic:123Start$ -k "https://localhost:9200/_cat/templates?v"
Cluster-Health
- curl -u elastic:123Start$ -k "https://localhost:9200/_cluster/health?pretty"