我有 nginx 反向代理我的网络流量。我有 filebeats 7.10 将日志转发到弹性 7.10,带有 kibana 7.10 前端。我有一个 iOS 应用程序,它为每个用户创建匿名 UUID 并将它们附加到 Web 服务调用(https://meezeeco.com/getapp?r=so)。我不想跟踪用户是谁,但我想跟踪应用程序的使用情况,这样我就可以根据实际用户的偏好提供更好的用户体验。换句话说,我希望能够看到哪些用户在安装一次后真正回到了应用程序。
我可以像这样查询日志文件:
url.original: *MainView&u=*
并像这样取回弹性记录:
Mar 9, 2021 @ 13:38:50.000 url.original: /action/?a=MainView&u=23860DD1-DF9B-4868-A050-BF8CF97A6F27 agent.hostname: ip-x-x-x-x agent.name: ip-x-x-x-x agent.id: 6a8942bc-65c0-4ebe-9327-ff4ae37e44b5 agent.type: filebeatagent.ephemeral_id: 6fc4b0f4-8cac-40f3-9ac4-1cdb38353bc7 agent.version: 7.10.1 nginx.access.remote_ip_list: x.x.x.x log.file.path: /var/log/nginx/access.log log.offset: 396,403 source.geo.continent_name: North America source.geo.region_iso_code: US-XX source.geo.city_name: XXXX source.geo.country_iso_code: US source.geo.country_name: United States source.geo.region_name: XX source.geo.location: { "lon": x, "lat": x } source.as.number: 7,922 source.as.organization.name: Comcast Cable Communications, LLC source.address: x.x.x.x source.ip: x.x.x.x fileset.name: access cloud.availability_zone: us-east-2c cloud.image.id: ami-0a91cd140a1fc148a cloud.instance.id: i-051459c13cab744db cloud.provider: aws cloud.machine.type: t2.microcloud.region: us-east-2 cloud.account.id: xxxxx input.type: log @timestamp: Mar 9, 2021 @ 13:38:50.000 ecs.version: 1.5.0 related.ip: x.x.x.x service.type: nginx host.hostname: ip-x-x-x-x host.os.kernel: x-awshost.os.codename: x host.os.name: x host.os.family: x host.os.version: x host.os.platform: x host.containerized: false host.ip: x.x.x.x host.name: ip-x-x-x-x host.id: x host.mac: x:x:x:X:X:x host.architecture: x86_64 http.request.method: GET http.response.status_code: 200 http.response.body.bytes: 4B http.version: 1.1 event.ingested: Mar 9, 2021 @ 13:38:56.086 event.timezone: +00:00 event.created: Mar 9, 2021 @ 13:38:55.029 event.kind: event event.module: nginx event.category: web event.type: access dfevent.dataset: nginx.access event.outcome: success user_agent.original: x user_agent.os.name: iOS user_agent.name: Meezy%20Workout user_agent.device.name: iOS-Device user_agent.version: x _id: aCtIGHgBd0tfsQLQ7vxb _type: _doc _index: filebeat-7.10.1-2021.02.15-000003 _score: -
但我希望能够仅找到多天存在 UUID(在本例中为 u=23860DD1-DF9B-4868-A050-BF8CF97A6F27)的记录。
我已经使用 SQL 接口来弹性,如下所示:
select day_of_year("@timestamp") AS DOY, url.original AS URL from "filebeat-*" where url.original like '%MainView&u=%' group by url.original, DOY ORDER BY url.original, DOY;
这给了我一个独特的日子+ url / UUID的列表,如下所示:
DOY URL
55 /action/?a=MainView&u=23860DD1-DF9B-4868-A050-BF8CF97A6F27
56 /action/?a=MainView&u=23860DD1-DF9B-4868-A050-BF8CF97A6F27
57 /action/?a=MainView&u=23860DD1-DF9B-4868-A050-BF8CF97A6F27
55 /action/?a=MainView&u=ABC1234-EA10-1123-B049-CG7AB27A23
我可以将其转储到文本文件中,然后手动将代码中的唯一天数相加。但最好我可以用原生 kibana 方式来构建仪表板或原生弹性 SQL 方式。
如果弹性能够支持这样的查询:
select count(URL), URL from (select day_of_year("@timestamp") AS DOY, url.original AS URL from "filebeat-*" where url.original as url like '%MainView&u=%' group by url.original, DOY) group by URL having count(URL) > 1;
那么这将是完美的,因为我可以看到如下输出:
COUNT URL
3 /action/?a=MainView&u=23860DD1-DF9B-4868-A050-BF8CF97A6F27
不幸的是,弹性对子选择的支持不支持对内部选择结果的标量操作。根据文档,它仅支持也可以表示为简单选择的子选择。使用 SQL 标记交叉发布此内容,以防任何人想出一种将嵌套选择表示为简单选择的方法。