【发布时间】:2017-05-24 22:34:55
【问题描述】:
我有 ELK 5.2.1 用于日志分析。现在我需要通过 Kibana 搜索栏搜索一些字符串。例如,我需要查找包含“usage:527”的日志。我理解语法应该遵循https://lucene.apache.org/core/2_9_4/queryparsersyntax.html。但这对我不起作用。 我试过了:
"usage\:527"
"usage:527"
"usage?527"
message:/usage\:527/
message:/.*usage:527.*/
但没有任何效果。任何有经验的人可以帮助我吗?谢谢!
我知道使用开发工具查询是另一种方式,但我的一些 ELK 用户没有这种能力。
这是索引详细信息:
curl -XGET -u elastic localhost:9200/app_web_log-20170410
Enter host password for user 'elastic':
{"app_web_log-20170410":{"aliases":{},"mappings":{"log":{"properties":{"@timestamp":{"type":"date"},"@version":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"beat":{"properties":{"hostname":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"name":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"version":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}},"deployment":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"input_type":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"message":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"module":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"offset":{"type":"long"},"source":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"type":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}}},"settings":{"index":{"creation_date":"1491782403146","number_of_shards":"5","number_of_replicas":"1","uuid":"73cWj5AHTmeFdXnJk4xCjQ","version":{"created":"5020199"},"provided_name":"app_web_log-20170410"}}}}
【问题讨论】:
-
也试过
{"match":{"message":"usage?275"}}。但还是不行。 -
你的
message字段的映射是什么? -
消息字段来自logstash。是日志条目
-
运行
curl -XGET localhost:9200/logstash-*会得到什么? -
我只有 {}。实际上我没有以logstahs *开头的索引。我已经改名了。但是使用该命令也得到了 {}
标签: elasticsearch kibana