2

我正在尝试部署EFK基础架构(elasticsearch、fluentd、kibana),通过 fluentd 更改 logstash

Fluentd 在 elasticsearch 中保存记录没有问题。我正在logstash_format使用值为 true 的指令来与 logstash 兼容。

Kibana 没有显示任何记录。

使用 tcpdump 我可以看到从 kibana 到 elasticsearch 的请求(以及响应)

GET /logstash-2014.03.28,logstash-2014.03.29/_aliases?ignore_missing=true HTTP/1.1

返回我拥有的唯一索引。

POST /logstash-2014.03.29/_search?search_type=count HTTP/1.1

有了这个数据...

{
  "facets": {
    "0": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "10m"
      },
      "global": true,
      "facet_filter": {
        "fquery": {
          "query": {
            "filtered": {
              "query": {
                "query_string": {
                  "query": "*"
                }
              },
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "from": 1396032396265,
                          "to": "now"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  },
  "size": 0
}

返回...

{
  "took": 15,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "failed": 0
  },
  "hits": {
    "total": 159,
    "max_score": 0,
    "hits": []
  },
  "facets": {
    "0": {
      "_type": "date_histogram",
      "entries": []
    }
  }
}

POST /logstash-2014.03.29/_search HTTP/1.1

有了这些数据...

{
  "query": {
    "filtered": {
      "query": {
        "bool": {
          "should": [
            {
              "query_string": {
                "query": "*"
              }
            }
          ]
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "from": 1396032396560,
                  "to": "now"
                }
              }
            }
          ]
        }
      }
    }
  },
  "highlight"

不返回任何记录...

{
  "took": 8,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "failed": 0
  },
  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  }
}

但是,如果我使用 GET 尝试相同的 url 并且没有数据 y 获取记录。

{
  "hits": [
    {
      "_index": "logstash-2014.03.29",
      "_type": "fluentd",
      "_id": "p9ck6aNoQq-rJFqV1nbVyQ",
      "_score": 1,
      "_source": {
        "host": "ubuntu02",
        "ident": "",
        "message": ":PRO::apache::access: 192.168.10.51 - kibana [29/Mar/2014:17:03:35 +0100] \"GET /index.html HTTP/1.1\" 200 2976 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36\" kibana.smartpurposes.net:443 0",
        "@timestamp": "2014-03-29T17:03:35+01:00"
      }
    }
  ]
}

GET /logstash-2014.03.29/_mapping  HTTP/1.1

返回这个...

{
  "logstash-2014.03.29": {
    "mappings": {
      "_default_": {
        "_all": {
          "enabled": false
        },
        "properties": {
          "@fields": {
            "dynamic": "true",
            "properties": {
              "ldaperrnum": {
                "type": "integer"
              }
            }
          }
        }
      },
      "fluentd": {
        "_all": {
          "enabled": false
        },
        "properties": {
          "@fields": {
            "dynamic": "true",
            "properties": {
              "ldaperrnum": {
                "type": "integer"
              }
            }
          },
          "@timestamp": {
            "type": "date",
            "format": "dateOptionalTime"
          },
          "host": {
            "type": "string"
          },
          "message": {
            "type": "string"
          }
        }
      }
    }
  }
}

他们每个人都返回数据,但 kibana 什么都不显示。

有任何想法吗?

更新:

如果我启动...

POST /logstash-2014.03.29/_search HTTP/1.1

使用此数据(删除查询)有效。

{
  "highlight": {
    "fields": {},
    "fragment_size": 2147483647,
    "pre_tags": [
      "@start-highlight@"
    ],
    "post_tags": [
      "@end-highlight@"
    ]
  },
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    },
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}

所以问题似乎在这。

{
  "query": {
    "filtered": {
      "query": {
        "bool": {
          "should": [
            {
              "query_string": {
                "query": "*"
              }
            }
          ]
        }
      }
    }
  }
}
4

0 回答 0