我是ELK堆栈的新手,我遇到了一些我认为应该非常简单的问题。我有如下所示的日志数据(从elasticsearch api检索到):
{
"_index": "filebeat-2017.06.02",
"_type": "log",
"_id": "AVxqBHFg2ZHUP62Y4ofK",
"_version": 1,
"found": true,
"_source": { SNIPPING stuff I don't think is important here },
"host": "LYNCHC",
"source": "C:\\PathToTheFile.log",
"message": "\"INFO\",\"mc-1\",\"04\/26\/2017\",\"02:26:55\",\"\",\";Error invoking external process **SNIPPING for brevity**",
"type": "log",
"tags": [ "beats_input_codec_plain_applied" ]
}
}
和其他类似的日志:
{
"_index": "filebeat-2017.06.02",
"_type": "log",
"_id": "AVxqBHhd2ZHUP62Y4ofR",
"_version": 1,
"found": true,
"_source": { SNIPPING stuff I don't think is important here },
"host": "LYNCHC",
"source": "C:\\PathToTheFile.log",
"message": "\"ERROR\",\"mc-25\",\"03\/15\/2017\",\"19:27:09\",\"\",\"exception thrown trying to stop apache**SNIPPING for brevity**",
"type": "log",
"tags": [ "beats_input_codec_plain_applied" ]
}
}
我想构建一个查询(通过kibana传递的弹性搜索查询),它会在过滤第二个日志时找到第一个日志(注意我不能只查询单词“error”,因为包含错误在第二种类型的日志中。)
我正在尝试使用正则表达式查询来执行此操作,并且感觉这应该可行,但它不会(它返回零结果):
{
"query": {
"regexp": {
"message": "\"ERROR\".*"
}
}
}
以下查询会返回结果,但它会返回两种类型的日志:
{
"query": {
"regexp": {
"message": "error"
}
}
}
可能值得注意的是,区分大小写确实很重要(搜索“ERROR”也会返回零结果)。我不确定我哪里出错了,觉得我正在关注文档。我错过了什么吗?