我有一个AWS ElasticSearch(v 5.5)/ Kibana(v 5.5.2)实例从我的java服务中提取我的日志数据。在我的日志中,我有完全限定的异常名称的堆栈跟踪(例如。com.example.MyException)。
我的问题是,当我尝试通过Kibana搜索MyException时,我得到零结果,但如果我搜索com.example.MyException,我会收到我期望的所有结果。
ElasticSearch word-delimiter文档说:
使用以下规则将单词拆分为子词:
- 拆分字内分隔符(默认情况下,所有非字母数字字符)
我希望这意味着我的完全限定的类名将被点分割,并且我将能够只搜索类名。
我需要做些什么才能只搜索类名来获取ElasticSearch的结果。
更新
我的日志通过Stream Cloudwatch Logs to EslaticSearch AWS功能进入ElasticSearch。此功能生成AWS lmbda函数,该函数将日志记录发送到ElasticSearch。我使用默认生成的函数(see code)。我没有配置任何ElasticSearch映射,所以我假设我使用Dynamic Mapping的默认值
示例日志条目:
{
"date": 1516892650443,
"requestID": "ff5d5a37-01e0-11e8-bf20-610a6080caa5",
"logger name": "com.example.MyHandler",
"level": "ERROR",
"message": "Exception thrown: ",
"exception": " com.example.MyException \n \tat com.example.MyHandler.handle(MyHandler.java:100) \n \tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) \n \tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) \n \tat java.lang.Thread.run(Thread.java:748) \n Caused by: java.io.IOException: Stream closed\n \tat java.io.FileInputStream.read(FileInputStream.java:100)"
}
示例索引配置:
{
"cwl-2018.01.16": {
"aliases": {},
"mappings": {
"MyService-prod": {
"properties": {
"@id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@log_group": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@log_stream": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@owner": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@timestamp": {
"type": "date"
},
"date": {
"type": "long"
},
"exception": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"level": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"logger name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"requestID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
},
"settings": {
"index": {
"refresh_interval": "5s",
"number_of_shards": "5",
"blocks": {
"write": "false"
},
"provided_name": "cwl-2018.01.16",
"creation_date": "1516060800423",
"number_of_replicas": "0",
"uuid": "xxxx",
"version": {
"created": "5050299"
}
}
}
}
}
答案 0 :(得分:0)
您是否尝试在Kibana中搜索* MyException?我在我的环境中使用它并且它有效。但是你应该对时间范围保持谨慎,起初我用了90天而且我不得不重启我的Elasticsearch。如果你指定的字段比它更快,我使用" logger:* MySearchExpression"它在几秒钟内就能完成。