Logtrail不显示数据

时间:2017-06-27 21:42:30

标签: elasticsearch logstash kibana

我有ELK堆栈,带有Logtrail的自定义Kibana容器。 当我打开它时,我可以在Kibana中看到日志,但在Logtrail插件中却看不到。我一直没有发现任何事件消息。

我的配置看起来像(用于测试目的)

{
    "index_patterns" : [
        {
            "es": {
                "default_index": "logstash-*",
                "allow_url_parameter": false
            },
            "tail_interval_in_seconds": 5,
            "max_buckets": 500,
            "nested_objects" : false,
            "display_timezone": "local",
            "default_time_range_in_days" : 0,
            "max_hosts": 10,
            "display_timestamp_format": "MM-dd HH:mm:ss.fff",
            "fields" : {
                "mapping" : {
                    "timestamp" : "@timestamp",
                    "display_timestamp" : "@timestamp",
                    "hostname" : "message",
                    "program": "message",
                    "message": "message"
                }
            }
        }
    ]
}

我的日志条目在Kibana中可见:

{
  "_index": "logstash-2017.06.27",
  "_type": "logs",
  "_id": "AVzrfuXhrXfjBRR51Pyo",
  "_version": 1,
  "_score": null,
  "_source": {
    "source_host": "10.255.0.5",
    "level": 6,
    "created": "2017-06-27T13:31:01.373596557Z",
    "log_level": "DEBUG",
    "message": "Discovered 3 resources",
    "version": "1.1",
    "call_site": "onResourcesFound:76",
    "command": "java -cp classes:dependency/* Application",
    "tags": [
      "_dateparsefailure"
    ],
    "image_name": "xyz",
    "@timestamp": "2017-06-27T21:39:41.137Z",
    "container_name": "xyz",
    "service": "device-management",
    "host": "Docker-2",
    "@version": "1",
    "tag": "59858d7aa20d",
    "image_id": "sha256:acbccc5b39088ac1b2993e9e9dcd290e7cfa10499ef5eeca9f145d44ccc5571b",
    "container_id": "59858d7aa20dae4bc6220c4ff7366d7bef059d50213e852c3adab2eb8493af08",
    "timestamp": "17-06-27 21:39:41.137"
  },
  "fields": {
    "created": [
      1498570261373
    ],
    "@timestamp": [
      1498599581137
    ]
  },
  "sort": [
    1498599581137
  ]
}

请问哪里有问题?

1 个答案:

答案 0 :(得分:0)

我在你的JSON文件中没有看到这一行:

 "message_format":"{{{syslog_message}}}"

您应该可以使用现有行中的{fieldname}为其添加字段。

一些参考页面:

herehere

有一次,我有自己的自定义message_format设置,但无法找到它向我展示如何格式化的页面的引用。

编辑:

此外,您似乎需要正确映射字段。下面是我在json文件中丢失并找到的索引:

{
  "index_patterns" : [
    {
      "es": {
        "default_index": "lnf-*",
        "allow_url_parameter": false
      },
      "tail_interval_in_seconds": 10,
      "es_index_time_offset_in_seconds": 0,
      "display_timezone": "local",
      "display_timestamp_format": "MMM DD HH:mm:ss",
      "max_buckets": 500,
      "default_time_range_in_days" : 0,
      "max_hosts": 100,
      "max_events_to_keep_in_viewer": 5000,
      "fields" : {
        "mapping" : {
            "timestamp" : "@timestamp",
            "display_timestamp" : "@timestamp",
            "hostname" : "logsource",
            "program": "program",
            "message": "message"
        },
        "message_format": "{{{message}}}"
      }
    }
  ]
}

请注意,每个字段映射都有“消息”......

相关问题
最新问题