我尝试部署EFK基础设施(elasticsearch,fluentd,kibana)改变了基于流利的logstash
Fluentd可以毫无问题地保存elasticsearch中的记录。我将logstash_format指令的值设置为true,以便与logstash兼容。
Kibana没有显示任何记录。
使用tcpdump,我可以看到从kibana到elasticsearch(以及响应)的请求
GET /logstash-2014.03.28,logstash-2014.03.29/_aliases?ignore_missing=true HTTP/1.1
返回我唯一的索引。
POST /logstash-2014.03.29/_search?search_type=count HTTP/1.1
有了这些数据......
{
"facets": {
"0": {
"date_histogram": {
"field": "@timestamp",
"interval": "10m"
},
"global": true,
"facet_filter": {
"fquery": {
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*"
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": 1396032396265,
"to": "now"
}
}
}
]
}
}
}
}
}
}
}
},
"size": 0
}
...返回
{
"took": 15,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 159,
"max_score": 0,
"hits": []
},
"facets": {
"0": {
"_type": "date_histogram",
"entries": []
}
}
}
POST /logstash-2014.03.29/_search HTTP/1.1
有了这些数据......
{
"query": {
"filtered": {
"query": {
"bool": {
"should": [
{
"query_string": {
"query": "*"
}
}
]
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": 1396032396560,
"to": "now"
}
}
}
]
}
}
}
},
"highlight"
不返回任何记录......
{
"took": 8,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 0,
"max_score": null,
"hits": []
}
}
但是,如果我使用GET尝试相同的网址而没有数据,则会获得记录。
{
"hits": [
{
"_index": "logstash-2014.03.29",
"_type": "fluentd",
"_id": "p9ck6aNoQq-rJFqV1nbVyQ",
"_score": 1,
"_source": {
"host": "ubuntu02",
"ident": "",
"message": ":PRO::apache::access: 192.168.10.51 - kibana [29/Mar/2014:17:03:35 +0100] \"GET /index.html HTTP/1.1\" 200 2976 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36\" kibana.smartpurposes.net:443 0",
"@timestamp": "2014-03-29T17:03:35+01:00"
}
}
]
}
GET /logstash-2014.03.29/_mapping HTTP/1.1
返回此...
{
"logstash-2014.03.29": {
"mappings": {
"_default_": {
"_all": {
"enabled": false
},
"properties": {
"@fields": {
"dynamic": "true",
"properties": {
"ldaperrnum": {
"type": "integer"
}
}
}
}
},
"fluentd": {
"_all": {
"enabled": false
},
"properties": {
"@fields": {
"dynamic": "true",
"properties": {
"ldaperrnum": {
"type": "integer"
}
}
},
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"host": {
"type": "string"
},
"message": {
"type": "string"
}
}
}
}
}
}
他们每个人都会返回数据,但是kibana不会显示任何内容。
有什么想法吗?
更新
如果我发起......
POST /logstash-2014.03.29/_search HTTP/1.1
使用此数据(删除查询)有效。
{
"highlight": {
"fields": {},
"fragment_size": 2147483647,
"pre_tags": [
"@start-highlight@"
],
"post_tags": [
"@end-highlight@"
]
},
"size": 500,
"sort": [
{
"@timestamp": {
"order": "desc"
}
},
{
"@timestamp": {
"order": "desc"
}
}
]
}
所以问题似乎就在这里。
{
"query": {
"filtered": {
"query": {
"bool": {
"should": [
{
"query_string": {
"query": "*"
}
}
]
}
}
}
}
}