我有ELK 5.2.1进行日志分析。现在我需要通过Kibana搜索栏搜索一些字符串。例如,我需要找到包含“usage:527”的日志。我理解语法应遵循https://lucene.apache.org/core/2_9_4/queryparsersyntax.html。但它对我不起作用。 我试过了:
"usage\:527"
"usage:527"
"usage?527"
message:/usage\:527/
message:/.*usage:527.*/
但没有任何效果。任何人都有经验可以帮助我吗?谢谢!
我理解使用dev工具进行查询是另一种方式,但我的一些ELK用户没有那种能力。
这是索引详细信息:
curl -XGET -u elastic localhost:9200/app_web_log-20170410
Enter host password for user 'elastic':
{"app_web_log-20170410":{"aliases":{},"mappings":{"log":{"properties":{"@timestamp":{"type":"date"},"@version":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"beat":{"properties":{"hostname":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"name":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"version":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}},"deployment":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"input_type":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"message":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"module":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"offset":{"type":"long"},"source":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"type":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}}},"settings":{"index":{"creation_date":"1491782403146","number_of_shards":"5","number_of_replicas":"1","uuid":"73cWj5AHTmeFdXnJk4xCjQ","version":{"created":"5020199"},"provided_name":"app_web_log-20170410"}}}}
答案 0 :(得分:0)
根据您的映射,如果消息字段包含确切的值usage:527,您可以在Kibana中尝试以下查询:
message.keyword:"usage:527"
如果usage:527是您的消息字段的子字符串,那么您可以尝试regular expression,就像这样
message.keyword:/usage:527/