Logstash标签层次结构
[英]Logstash tag hierarchy
问题描述
I'm installing Logstash, ElasticSearch & Kibana, and am trying to implement a hierarchy of logs that can be rendered as a tree. 
我正在安装Logstash,ElasticSearch和Kibana,并试图实现可呈现为树的日志层次结构。
eg Take a hierarchy such as: web->site1->access , web->site1->error , mail->list1->bounces etc 例如,采用一个层次结构,例如: web->site1->access , web->site1->error , mail->list1->bounces等
Then have a web interface that can list this as a tree: 然后有一个Web界面,可以将其列出为树:
web
| - site1
| - access
| - error
mail
| -- list1
| -- bounces
So users can quickly find the access log for site1. 因此,用户可以快速找到site1的访问日志。
I can write the web part (or add a custom panel to Kibana), but am not sure how to configure Logstash/Elasticsearch to store this. 我可以编写Web部件(或向Kibana添加自定义面板),但是不确定如何配置Logstash / Elasticsearch来存储它。
Just with ElasticSearch, I tried adding fields like: 仅使用ElasticSearch,我就尝试添加以下字段:
POST /test/logs
{
"types": ["web", "site1", "access"],
"message":"access log line 1"
}
POST /test/logs
{
"types": ["mail", "list1", "bounces"],
"message":"access log line 1"
}
...
But the types array gets split up (tokenized?), so when I do a facets query I get back a list of all the individual array values combined. 但是types数组会被拆分(标记化?),所以当我进行构面查询时,我会得到所有组合的单个数组值的列表。 Which is probably what you'd want if these were tags, but not in my case. 如果这些是标签,那可能就是您想要的,但对于我来说不是。
Is storing a hierarchy of tags possible in Logstash / ElasticSearch, and if so how? 是否可以在Logstash / ElasticSearch中存储标签的层次结构,如果可以,怎么办?
1 个解决方案
解决方案1
0 2014-01-06 13:46:33
That's an odd way of doing things. 这是一种奇怪的做事方式。
You could add new fields, eg: 您可以添加新字段,例如:
hostname: mail
site: site1
maillist: list1
log: access
Then be more specific in your query: 然后在查询中更具体:
hostname:web AND site:site1 AND log:access
Provide a few prepared dashboards that users can tweak values to get what they need. 提供一些准备好的仪表板,用户可以调整其值以获取所需的信息。
Otherwise you need to use nested field syntax and probably conditionals 否则,您需要使用嵌套字段语法和可能的条件语句
Eg (untested) 例如(未经测试)
filter{
mutate{
add_field => [ ["%{servertype}"]["%{hostname}"]["%{site}"]["%{log}"], "some value" ]
}
}
If you are sending in your logs in JSON format from the start, then you can create nested fields just by adding more nested JSON objects. 如果您从一开始就以JSON格式发送日志,则只需添加更多嵌套JSON对象即可创建嵌套字段。 eg: 例如:
{
"message": "GET /interestingpage?param1=value1 HTTP/1.1 404",
"tags": [
"tag1",
"tag2",
"tag3",
"valve"
],
"@timestamp": "2013-10-24T20:23:46.222Z",
"field3": "value3",
"field2": "value2",
"level": "ERROR",
"http": {
"request_protocol": "HTTP/1.1",
"response_headers": {},
"request_querystring": "param1=value1",
"remote_user": null,
"request_headers": {
"Referer": null,
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36"
},
"response_size": 985,
"response_status": 404,
"request_parameters": {
"param1": [
"value1"
]
},
"request_uri": "/interestingpage",
"remote_host": "192.168.1.208",
"server_name": "192.168.1.67",
"request_method": "GET",
"response_duration": 27,
"cookies": {}
},
"hostname": "precise64",
"field1": "value1",
"@version": "1",
"user": "tomcat7"
}
Nested fields in kibana are . 在kibana中的嵌套字段是。 (dot) separated in the field list. (点)在字段列表中分隔。 But you can use the field filter to narrow down to find what you need. 但是您可以使用字段过滤器缩小范围以找到所需的内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.