AWS elasticsearch now supports standard SQL syntax. For system administrators, it also supports PPL (Pipe Processing Language). Here is an example of both:
select userAgent, eventID from newcwl where requestParameters.bucketName.keyword as ‘web%’ and (eventName.keyword as ‘PutObject%’ OR eventName.keyword as ‘UploadPartCopy%’ OR eventName.keyword as ‘UploadPart%’);
And here is the PPL syntax:
search source = newcwl eventSource.keyword = ‘s3.amazonaws.com’ | where eventName.keyword as ‘PutObject%’ or eventName.keyword as ‘UploadPart%’ or eventName.keyword as ‘UploadPartCopy%’ | where requestParameters.bucketName.keyword like “web%” | userAgent fields, eventID
It really is a cool feature. I have been looking for something like this for years!
Tags: elastic, usability