我有用于日志分析的ELK 5.2.1。现在,我需要通过Kibana搜索栏搜索一些字符串。例如,我需要找到包含“usage:527”的日志。我了解语法应遵循https://lucene.apache.org/core/2_9_4/queryparsersyntax.html。但这对我不起作用。
我试过了:
"usage\:527"
"usage:527"
"usage?527"
message:/usage\:527/
message:/.*usage:527.*/
但是没有任何效果。任何人都有经验可以帮助我吗?谢谢!
我知道使用开发工具进行查询是另一种方法,但是我的一些ELK用户没有这种能力。
以下是索引详细信息:
curl -XGET -u elastic localhost:9200/app_web_log-20170410
Enter host password for user 'elastic':
{"app_web_log-20170410":{"aliases":{},"mappings":{"log":{"properties":{"@timestamp":{"type":"date"},"@version":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"beat":{"properties":{"hostname":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"name":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"version":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}},"deployment":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"input_type":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"message":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"module":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"offset":{"type":"long"},"source":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"type":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}}},"settings":{"index":{"creation_date":"1491782403146","number_of_shards":"5","number_of_replicas":"1","uuid":"73cWj5AHTmeFdXnJk4xCjQ","version":{"created":"5020199"},"provided_name":"app_web_log-20170410"}}}}
最佳答案
根据您的映射,如果消息字段包含确切值usage:527,则可以在Kibana中尝试以下查询:
message.keyword:"usage:527"
如果
usage:527是您的消息字段的子字符串,则可以尝试使用regular expression,如下所示message.keyword:/usage:527/
关于elasticsearch - 在Kibana搜索栏中搜索特殊字符,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44169546/