A command line tool to query log events from ElasticSearch, a bit like tail for Logstash/ElasticSearch.
Lstail queries ElasticSearch for log events and displays them on the terminal. Saved Searches from Kibana can be used for quick access to filters and prepared column configuration. For more details and usage examples please see the documentation at https://lstail.org/.
Lstail requires Python 3.5 or newer. The easiest method is to install directly from pypi using pip:
pip install lstail
If you prefer, you can download lstail and install it directly from source:
python setup.py install
The source code is available at https://github.com/eht16/lstail/.
Before using Lstail, you need to create a config file called
Lstail will search for
lstail.conf in the following locations (in that order):
Alternatively, you can specify the name of the config file to be read
--config command line parameter.
An example config file can be found in the sources or online
The important part to modify in the config file is the
which must be edited to point to your ElasticSearch instance to query
For details on all configuration options, please see the documentation: https://lstail.org/.
Display events (from the configured index pattern) since ten minutes:
lstail -r 10m
Display the last 20 events (from the configured index pattern):
lstail -n 20
Display all events matching the given query:
lstail -q 'host: google.com'
List Saved Searches from Kibana:
Display and follow events using the Saved Search "Syslog" (use Ctrl-C to interrupt):
lstail -s Syslog -f
Overwrite search query for Saved Search "Syslog" (i.e. ignore the query stored in the Saved Search but use the configured columns):
lstail -s Syslog -q program:cron
usage: lstail [-h] [-V] [-d] [-v] [-c FILE] [-f] [-l] [-H] [--csv] [-n NUM] [-q QUERY] [-r RANGE] [-s NAME] optional arguments: -h, --help show this help message and exit -V, --version show version and exit -d, --debug enable tracebacks -v, --verbose Show own log messages -c FILE, --config FILE configuration file path -f, --follow Constantly fetch new data from ElasticSearch -l, --list-saved-searches List all saved searches from Kibana -H, --no-header Do not print header line before the output --csv Use CSV (comma separated) output -n NUM, --lines NUM Output the last NUM lines, instead of the last 10 -q QUERY, --query QUERY Set/Overwrite the search query (use Lucene query syntax) -r RANGE, --range RANGE Query events from the last RANGE minutes(m)/hours(h)/days(d) -s NAME, --saved-search NAME Saved search title as stored in Kibana
Found a bug or got a feature request? Please report it at https://github.com/eht16/lstail/issues.