-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path10_query.yml
52 lines (52 loc) · 2.08 KB
/
10_query.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
---
requires:
serverless: false
stack: true
---
setup:
- do:
indices.create:
index: esql-test
body:
mappings:
properties: { 'client.ip': { 'type': 'ip' }, 'message': { 'type': 'keyword' } }
- do:
bulk:
refresh: true
index: esql-test
body:
- "index": {}
- { "@timestamp": "2023-10-23T12:15:03.360Z", "client.ip": "172.21.2.162", "message": "Connected to 10.1.0.3", "event.duration": 3450233 }
- "index": {}
- { "@timestamp": "2023-10-23T12:27:28.948Z", "client.ip": "172.21.2.113", "message": "Connected to 10.1.0.2", "event.duration": 2764889 }
- "index": {}
- { "@timestamp": "2023-10-23T13:33:34.937Z", "client.ip": "172.21.0.5", "message": "Disconnected", "event.duration": 1232382 }
- "index": {}
- { "@timestamp": "2023-10-23T13:51:54.732Z", "client.ip": "172.21.3.15", "message": "Connection error", "event.duration": 725448 }
- "index": {}
- { "@timestamp": "2023-10-23T13:52:55.015Z", "client.ip": "172.21.3.15", "message": "Connection error", "event.duration": 8268153 }
- "index": {}
- { "@timestamp": "2023-10-23T13:53:55.832Z", "client.ip": "172.21.3.15", "message": "Connection error", "event.duration": 5033755 }
- "index": {}
- { "@timestamp": "2023-10-23T13:55:01.543Z", "client.ip": "172.21.3.15", "message": "Connected to 10.1.0.1", "event.duration": 1756467 }
---
teardown:
- do:
indices.delete:
index: esql-test
---
"ES|QL":
- do:
esql.query:
body:
query: "FROM esql-test | EVAL duration_ms = ROUND(event.duration / 1000000.0, 1)"
- match: { columns.0.name: "@timestamp" }
- match: { columns.0.type: "date" }
- match: { columns.1.name: "client.ip" }
- match: { columns.1.type: "ip" }
- match: { columns.2.name: "event.duration" }
- match: { columns.2.type: "long" }
- match: { columns.3.name: "message" }
- match: { columns.3.type: "keyword" }
- match: { columns.4.name: "duration_ms" }
- match: { columns.4.type: "double" }