Kibana:在文本中搜索字符串
Kibana: Search within text for string
我在 Kibana 中有一条包含以下内容的日志消息:
org.hibernate.exception.GenericJDBCException: Cannot open connection
at org.springframework.orm.hibernate3.HibernateTransactionManager.doBegin(HibernateTransactionManager.java:597)
未返回结果的实际搜索:log_message:"hibernate3"
如果我搜索 "hibernate3",则不会出现此消息。我正在使用 Elasticsearch 模板并为该字段编制了索引,但也希望能够进行不区分大小写的全文搜索。这可能吗?
正在使用的模板:
{
"template": "filebeat-*",
"mappings": {
"mainProgram": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"class_method": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"class_name": {
"type": "text",
"fielddata": "true"
},
"clientip": {
"type": "ip",
"index": "not_analyzed"
},
"count": {
"type": "long"
},
"host": {
"type": "text",
"index": "not_analyzed"
},
"input_type": {
"type": "text",
"index": "not_analyzed"
},
"log_level": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"log_message": {
"type": "text",
"index": "true"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long",
"index": "not_analyzed"
},
"message": {
"type": "text"
},
"offset": {
"type": "long",
"index": "not_analyzed"
},
"query_params": {
"type": "text",
"index": "true"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text",
"index": "not_analyzed"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"version": {
"type": "text"
}
}
},
"access": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"clientip": {
"type": "ip",
"index": "not_analyzed"
},
"count": {
"type": "long",
"index": "not_analyzed"
},
"host": {
"type": "text",
"index": "true"
},
"input_type": {
"type": "text",
"index": "not_analyzed"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long",
"index": "not_analyzed"
},
"message": {
"type": "text"
},
"offset": {
"type": "long",
"index": "not_analyzed"
},
"query_params": {
"type": "text",
"index": "true"
},
"response_time": {
"type": "long"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text",
"index": "not_analyzed"
},
"statuscode": {
"type": "long"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text",
"index": "true"
},
"uripath": {
"type": "text",
"index": "true"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"verb": {
"type": "text",
"index": "true"
}
}
}
}
}
根据您的情况,您要查找的是 analyzed 类型 string,它会首先分析字符串然后对其编制索引。引自 doc.
In other words, index this field as full text.
因此请确保您正确映射了必要的字段,以便能够对文档进行全文搜索。
假设,在 Kibana 中,如果日志行在字段 message 下,您可以简单地通过以下方式搜索单词:
message:"hibernate3"
您可能还想参考 this,以确定 Term Based 和 Full-Text 之间的差异。
编辑
字段 log_message 的映射是这样的:
"log_message": {
"type": "string", <- to make it analyzed
"index": "true"
}
也尝试这样进行 通配符 搜索:
{"wildcard":{"log_message":"*.hibernate3.*"}}
message: *.hibernate3.*
也有效(请注意,不需要引号)
对于 Kibana 6.4.1,我使用“%”作为通配符。
message: %hibernate3%
对我来说,这是因为我使用了 ".keyword".
我的密钥名为“message”,我有“message”和“message.keyword”可用。
全文搜索对“.keyword”无效。
不工作:
message.keyword : hello
工作:
message : hello
我在 Kibana 中有一条包含以下内容的日志消息:
org.hibernate.exception.GenericJDBCException: Cannot open connection
at org.springframework.orm.hibernate3.HibernateTransactionManager.doBegin(HibernateTransactionManager.java:597)
未返回结果的实际搜索:log_message:"hibernate3"
如果我搜索 "hibernate3",则不会出现此消息。我正在使用 Elasticsearch 模板并为该字段编制了索引,但也希望能够进行不区分大小写的全文搜索。这可能吗?
正在使用的模板:
{
"template": "filebeat-*",
"mappings": {
"mainProgram": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"class_method": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"class_name": {
"type": "text",
"fielddata": "true"
},
"clientip": {
"type": "ip",
"index": "not_analyzed"
},
"count": {
"type": "long"
},
"host": {
"type": "text",
"index": "not_analyzed"
},
"input_type": {
"type": "text",
"index": "not_analyzed"
},
"log_level": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"log_message": {
"type": "text",
"index": "true"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long",
"index": "not_analyzed"
},
"message": {
"type": "text"
},
"offset": {
"type": "long",
"index": "not_analyzed"
},
"query_params": {
"type": "text",
"index": "true"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text",
"index": "not_analyzed"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"version": {
"type": "text"
}
}
},
"access": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"clientip": {
"type": "ip",
"index": "not_analyzed"
},
"count": {
"type": "long",
"index": "not_analyzed"
},
"host": {
"type": "text",
"index": "true"
},
"input_type": {
"type": "text",
"index": "not_analyzed"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long",
"index": "not_analyzed"
},
"message": {
"type": "text"
},
"offset": {
"type": "long",
"index": "not_analyzed"
},
"query_params": {
"type": "text",
"index": "true"
},
"response_time": {
"type": "long"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text",
"index": "not_analyzed"
},
"statuscode": {
"type": "long"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text",
"index": "true"
},
"uripath": {
"type": "text",
"index": "true"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"verb": {
"type": "text",
"index": "true"
}
}
}
}
}
根据您的情况,您要查找的是 analyzed 类型 string,它会首先分析字符串然后对其编制索引。引自 doc.
In other words, index this field as full text.
因此请确保您正确映射了必要的字段,以便能够对文档进行全文搜索。
假设,在 Kibana 中,如果日志行在字段 message 下,您可以简单地通过以下方式搜索单词:
message:"hibernate3"
您可能还想参考 this,以确定 Term Based 和 Full-Text 之间的差异。
编辑
字段 log_message 的映射是这样的:
"log_message": {
"type": "string", <- to make it analyzed
"index": "true"
}
也尝试这样进行 通配符 搜索:
{"wildcard":{"log_message":"*.hibernate3.*"}}
message: *.hibernate3.*
也有效(请注意,不需要引号)
对于 Kibana 6.4.1,我使用“%”作为通配符。
message: %hibernate3%
对我来说,这是因为我使用了 ".keyword".
我的密钥名为“message”,我有“message”和“message.keyword”可用。
全文搜索对“.keyword”无效。
不工作:
message.keyword : hello
工作:
message : hello