I use the elastic python dsl, for example, I have a Zabbix user parameter "UserParameter=watch_counter[*],/etc/zabbix/watch_counter.py $1 $2"
$1 is the index pattern to search, $2 is the time in minutes.


Parts of the python code:
from elasticsearch import *
from elasticsearch_dsl import *

<setup the Elasticsearch api with hosts and auth info>

s = Search(using=es, index=w_index).filter(
"range", **{"@timestamp": {"gte": "now-" + w_interval + "m/s", "lt": "now/s"}}
)

print(s.count())

In my case, I don't filter events, I'm just interested in the count of events over time.

I also use similar scripts with zabbix sender. The script above must run in the time provided by the agent timeout, these are quick searches, so I don't have trouble, but for more complex, I use cron and zabbix sender.

A also do lld from Elastic, for example:
<setup stuff>
s.aggs.bucket("hosts", "terms", field="winlog.computer_name", size=100)

results = s.execute()

lld = []

for dc in results["aggregations"]["hosts"]["buckets"]:
found_dc = {"{#DC}": dc["key"]}
lld.append(found_dc)

# pprint.pprint(lld)

print("z-host", "dc_lld", json.dumps(lld))

This produced JSON of all windows servers matching some query, in our case domain controllers. We "discover" new DC's then monitor them to make sure they send log events periodically.

Elastic touts their alerting, but it's a snowflake, if you already have alerting somewhere else (we used Zabbix) that was integrated with our oncall application, we don't need a different way, we need integration.