我有一个AWS ElasticSearch(v 5.5)/ Kibana(v 5.5.2)实例,它从Java服务中提取日志数据。在我的日志中,我具有带有完全限定的异常名称(例如com.example.MyException)的堆栈跟踪。
我的问题是,当我尝试通过Kibana搜索MyException时,结果为零,但是如果我搜索com.example.MyException,则返回的结果都是我期望的。
ElasticSearch word-delimiter文档说:
Words are split into subwords with the following rules:
- split on intra-word delimiters (by default, all non alpha-numeric characters)
我希望这意味着我的完全合格的类(class)名称将由点分隔,并且我将能够仅搜索类(class)名称。
我需要做些什么才能能够仅搜索类名称以获得ElasticSearch的结果。
更新
我的日志已通过Stream Cloudwatch Logs to EslaticSearch AWS功能吸收到ElasticSearch中。此功能生成一个AWS lmbda函数,该函数将日志记录发送到ElasticSearch。我正在使用默认的生成函数(see code)。我尚未配置任何ElasticSearch映射,所以我假设我使用的是Dynamic Mapping的默认值
样本日志条目:
{
"date": 1516892650443,
"requestID": "ff5d5a37-01e0-11e8-bf20-610a6080caa5",
"logger name": "com.example.MyHandler",
"level": "ERROR",
"message": "Exception thrown: ",
"exception": " com.example.MyException \n \tat com.example.MyHandler.handle(MyHandler.java:100) \n \tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) \n \tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) \n \tat java.lang.Thread.run(Thread.java:748) \n Caused by: java.io.IOException: Stream closed\n \tat java.io.FileInputStream.read(FileInputStream.java:100)"
}
样本索引配置:
{
"cwl-2018.01.16": {
"aliases": {},
"mappings": {
"MyService-prod": {
"properties": {
"@id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@log_group": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@log_stream": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@owner": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"@timestamp": {
"type": "date"
},
"date": {
"type": "long"
},
"exception": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"level": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"logger name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"requestID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
},
"settings": {
"index": {
"refresh_interval": "5s",
"number_of_shards": "5",
"blocks": {
"write": "false"
},
"provided_name": "cwl-2018.01.16",
"creation_date": "1516060800423",
"number_of_replicas": "0",
"uuid": "xxxx",
"version": {
"created": "5050299"
}
}
}
}
}
最佳答案
您是否尝试过在Kibana中搜索* MyException?我在我的环境中使用了它,并且效果很好。但是您应该对时间范围保持谨慎,起初我用了90天,但必须重新启动Elasticsearch。如果您指定要查看的字段,则它会更快,因此我使用了“logger:* MySearchExpression”,它在几秒钟内就可以工作了。
关于java - ElasticSearch:查询点分隔单词的部分,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48431742/