1

我是这个 ELK 的新手。我一直在尝试使用此堆栈创建可视化,但我无法使用verbresponserequest字段,我只能选择几个可用字段

但是,在“发现”部分,我完全能够处理这些领域。这是我的一个查询结果的示例:

(我使用的是 Kibana 4.4.2,filebeat 转发到 logstash 2.2.3)

{
  "_index": "filebeat-2016.04.12",
  "_type": "apache_log",
  "_id": "AVQMoRFwO5HM5nz1lmXf",
  "_score": null,
  "_source": {
    "message": "187.142.15.173 - - [12/Apr/2016:16:39:23 -0600] \"GET /v1.0/person/297312123/client/1132347/profile HTTP/1.1\" 200 2051 \"-\" \"Android CEX 2.2.0\"",
    "@version": "1",
    "@timestamp": "2016-04-12T22:39:27.064Z",
    "beat": {
      "hostname": "myhost",
      "name": "myhost"
    },
    "count": 1,
    "fields": null,
    "input_type": "log",
    "offset": 30034512,
    "source": "/var/log/httpd/access_log",
    "type": "apache_log",
    "host": "myhost",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "clientip": "187.142.15.173",
    "ident": "-",
    "auth": "-",
    "timestamp": "12/Apr/2016:16:39:23 -0600",
    "verb": "GET",
    "request": "/v1.0/person/297312123/client/1132347/profile",
    "httpversion": "1.1",
    "response": "200",
    "bytes": "2051",
    "referrer": "\"-\"",
    "agent": "\"Android CEX 2.2.0\"",
  },
  "fields": {
    "@timestamp": [
      1460500767064
    ]
  },
  "sort": [
    1460500767064
  ]
}

这可能有什么问题?

这是我的配置文件:

   filter {
    if [type] == "syslog" {         
        grok {
            match => { "message" => 
              "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
        }
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{host}" ]
    }

    syslog_pri { }

    date {
        match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
    if [type] == "apache_log" {

        grok {
        # match => [ "message", "%{COMBINEDAPACHELOG}" ]
            # match => { "message" => "%{COMBINEDAPACHELOG}" }
            # add_field => [ "received_at", "%{@timestamp}" ]
            # add_field => [ "received_from", "%{host}" ]
        match => [ "message", "%{COMBINEDAPACHELOG}" ]
        }

        #syslog_pri { }

        #date {
        #    match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        #}

  }
}

提前致谢!

4

1 回答 1

2

我的第一个想法是 kibana 字段缓存。转到设置->索引,选择您的索引,然后单击橙色的重新加载按钮。

于 2016-04-12T23:55:47.670 回答