Kibana拆分URL

时间:2014-11-11 12:24:59

标签: logging nginx elasticsearch kibana

我在Kibana 3遇到了问题。 我正在存储Nginx访问日志,需要显示顶级Web请求。

我正在使用带有这个简单过滤器的logstash:

filter {
grok {
    match => [ "message", "%{SYSLOGBASE} %{COMBINEDAPACHELOG}" ]
}}

在一个查询的elasticsearch结果中似乎没问题:

root@elk01:~# curl -XGET http://localhost:9200/logstash-2014.11.11/nginx/6bf4PWmhQq6bV0T5YCwI5w?pretty
{
  "_index" : "logstash-2014.11.11",
  "_type" : "nginx",
  "_id" : "6bf4PWmhQq6bV0T5YCwI5w",
  "_version" : 1,
  "found" : true,
  "_source":{"message":"Nov 11 01:00:19 web09 ngxaccess: 178.178.178.178 - - [11/Nov/2014:01:00:10 +0100] \"GET /avatars/t/144402.jpg HTTP/1.1\" 200 7019 \"http://www.domain.com/fr\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_6 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B651 Safari/9537.53\"","@version":"1","@timestamp":"2014-11-11T00:00:20.249Z","type":"nginx","host":"elk01","path":"/var/log/HOSTS/10.10.10.10/access.log","timestamp":["Nov 11 01:00:19","11/Nov/2014:01:00:10 +0100"],"logsource":"web09","program":"ngxaccess","clientip":"178.178.178.178","ident":"-","auth":"-","verb":"GET","request":"/avatars/t/144402.jpg","httpversion":"1.1","response":"200","bytes":"7019","referrer":"\"http://www.domain.com/fr\"","agent":"\"Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_6 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B651 Safari/9537.53\""}
}

映射似乎也没问题:

root@elk01:~# curl -XGET http://localhost:9200/logstash-2014.11.11/_mapping?pretty
...
"request" : {
        "type" : "string",
        "norms" : {
          "enabled" : false
        },
        "fields" : {
          "raw" : {
            "type" : "string",
            "index" : "not_analyzed",
            "ignore_above" : 256
          }
        }
      },

但是在Kibana中,我有一个分割的请求字段,如本例 avatars 而不是 /avatars/t/144402.jpg

我做错了什么? 有人已经有这个问题吗?

提前致谢。

伯努瓦

3 个答案:

答案 0 :(得分:1)

是的,曾经使用弹性搜索非词数据(例如日志文件)的每个人都遇到过这个问题。

正在分析该字段,如您的映射所示。 Logstash尝试通过创建未分析的“原始”多字段来帮助您。在kibana中,请尝试参考“request.raw”。

答案 1 :(得分:0)

我场上最后的.raw做了诀窍:)

答案 2 :(得分:0)

如果您没有通过logstash填充数据,或者由于某种原因您没有原始字段,您可以像这样创建它(ES5):

curl -XPUT 'my-es:9200/my-index/_mapping/my-mapping' -H 'Content-Type: application/json' -d '{"properties": {"request": {"type": "string", "fields": {"raw": { "type": "keyword"}}}}}'
相关问题
最新问题