在ELK中结合日志和查询
[英]Combine logs and query in ELK
问题描述
With ELK (Elasticsearch-Logstash-Kibana) stack, I collect syslog logs from *nix boxes to Logstash and send it to Kibana via Elasticsearch. 
使用ELK(Elasticsearch-Logstash-Kibana)堆栈,我从* nix框中收集syslog日志到Logstash,然后通过Elasticsearch将其发送到Kibana。 This is classical one scenario. 这是经典的一种情况。
My syslog log includes normal system events, squid access log, captiveportal login logs etc. captiveportal logged as 我的系统日志包括正常的系统事件,鱿鱼访问日志,强制登录日志等。
1423548430 2582 192.168.1.23 xx:ae:xx:e1:xx:99 mike.brown cc9aeb1210b39571 MTI= first
and 和
squid access logs logged as: 鱿鱼访问日志记录为:
1423562965.228 482 192.168.1.23 TCP_MISS/200 1254 POST http://ad4.liverail.com/? - DIRECT/31.13.93.12 text/xml
In Logstash, I have filtered captive portal log, and I have got client_ip="192.168.1.23" , user_name="mike.brown" and also in different filter in Logstash configuration I have also filtered squid access log, and I have got src_ip="192.168.1.23" . 在Logstash中,我过滤了强制门户日志,并且得到了client_ip="192.168.1.23" , user_name="mike.brown"并且在Logstash配置中的其他过滤器中,我还过滤了鱿鱼访问日志,并且得到了src_ip="192.168.1.23" 。
My question is: How can I query to get user_name where client_ip of squid access log equals to src_ip of captive portal in Kibana? 我的问题是:如何查询以获得用户名,其中鱿鱼访问日志的client_ip等于Kibana中的强制门户的src_ip?
1 个解决方案
解决方案1
0 2015-02-10 23:55:46
You can't do joins in elasticsearch. 您不能在elasticsearch中加入联接。 They discuss a few of the options for relationships in this doc . 他们讨论了此文档中用于关系的一些选项。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.