Kibana - 如何导出搜索结果
Kibana - how to export search results
我们最近将集中式日志记录从 Splunk 转移到 ELK 解决方案,我们需要导出搜索结果 - 在 Kibana 4.1 中有没有办法做到这一点?如果有,也不是很明显...
谢谢!
当然,您可以从 Kibana 的 Discover (Kibana 4.x+) 导出。
1. 在发现页面上单击此处的 "up arrow":
- 现在,在页面底部,您将有两个导出搜索结果的选项
在 logz.io(我工作的公司),我们将发布基于特定搜索的预定报告。
只导出时间戳和当时的消息数,不导出日志信息:
原始:
1441240200000,1214
1441251000000,1217
1441261800000,1342
1441272600000,1452
1441283400000,1396
1441294200000,1332
1441305000000,1332
1441315800000,1334
1441326600000,1337
1441337400000,1215
1441348200000,12523
1441359000000,61897
格式化:
"September 3rd 2015, 06:00:00.000","1,214"
"September 3rd 2015, 09:00:00.000","1,217"
"September 3rd 2015, 12:00:00.000","1,342"
"September 3rd 2015, 15:00:00.000","1,452"
"September 3rd 2015, 18:00:00.000","1,396"
"September 3rd 2015, 21:00:00.000","1,332"
"September 4th 2015, 00:00:00.000","1,332"
"September 4th 2015, 03:00:00.000","1,334"
"September 4th 2015, 06:00:00.000","1,337"
"September 4th 2015, 09:00:00.000","1,215"
"September 4th 2015, 12:00:00.000","12,523"
"September 4th 2015, 15:00:00.000","61,897"
如果你想导出日志(不仅仅是时间戳和计数),你有几个选择(tylerjl 在 Kibana forums 上很好地回答了这个问题):
If you're looking to actually export logs from Elasticsearch, you
probably want to save them somewhere, so viewing them in the browser
probably isn't the best way to view hundreds or thousands of logs.
There are a couple of options here:
In the "Discover" tab, you can click on the arrow tab near the bottom to see the raw request and response. You could click "Request"
and use that as a query to ES with curl (or something similar) to
query ES for the logs you want.
You could use logstash or stream2es206 to dump out the contents of a index (with possible query parameters to get the
specific documents you want.)
如果您在使用 curl 提出自己的请求时遇到问题,或者您不需要自动程序从 Kibana 中提取日志,只需单击 'Response' 并获取您需要的内容。
在使用 curl 时遇到像 'xsrf token missing' 这样的麻烦之后,
我发现这种方式更加简单易行!
正如其他人所说,单击底部附近的箭头选项卡后会出现请求按钮。
这很旧 post。但我认为仍然有人在寻找一个好的答案。
您可以轻松地从 Kibana Discover 中导出您的搜索结果。
先点击保存,然后点击分享
单击 CSV 报告
然后点击生成 CSV
片刻之后,您将在右下角看到下载选项。
这适用于 Kibana v 7.2.0 - 将查询结果导出到本地 JSON 文件。这里我假设你有 Chrome,类似的方法可能适用于 Firefox。
- Chrome - 打开开发者工具/网络
- Kibana - 执行您的查询
- Chrome - 右键单击网络调用并选择 复制/复制为 cURL
- 命令行 - 执行
[cURL from step 3] > query_result.json。查询响应数据现在存储在 query_result.json
编辑: 使用 jq 深入到生成的 JSON 文件中的 source 节点:
jq '.responses | .[] | .hits | .hits | .[]._source ' query_result.json
@Sean 的回答是正确的,但缺乏细节。
这是一个快速而简单的脚本,可以通过httpie从ElasticSearch抓取所有日志,通过jq解析并写出,并使用滚动游标迭代查询,以便超过前500个条目可以捕获(与此页面上的其他解决方案不同)。
此脚本是使用 httpie(http 命令)和 fish shell 实现的,但可以很容易地适应更多标准工具,如 bash 和 curl。
根据@Sean 的回答设置查询:
In the "Discover" tab, you can click on the arrow tab near the bottom
to see the raw request and response. You could click "Request" and
use that as a query to ES with curl (or something similar) to query ES
for the logs you want.
set output logs.txt
set query '<paste value from Discover tab here>'
set es_url http://your-es-server:port
set index 'filebeat-*'
function process_page
# You can do anything with each page of results here
# but writing to a TSV file isn't a bad example -- note
# the jq expression here extracts a kubernetes pod name and
# the message field, but can be modified to suit
echo $argv | \
jq -r '.hits.hits[]._source | [.kubernetes.pod.name, .message] | @tsv' \
>> $output
end
function summarize_string
echo (echo $argv | string sub -l 10)"..."(echo $argv | string sub -s -10 -l 10)
end
set response (echo $query | http POST $es_url/$index/_search\?scroll=1m)
set scroll_id (echo $response | jq -r ._scroll_id)
set hits_count (echo $response | jq -r '.hits.hits | length')
set hits_so_far $hits_count
echo "Got initial response with $hits_count hits and scroll ID "(summarize_string $scroll_id)
process_page $response
while test "$hits_count" != "0"
set response (echo "{ \"scroll\": \"1m\", \"scroll_id\": \"$scroll_id\" }" | http POST $es_url/_search/scroll)
set scroll_id (echo $response | jq -r ._scroll_id)
set hits_count (echo $response | jq -r '.hits.hits | length')
set hits_so_far (math $hits_so_far + $hits_count)
echo "Got response with $hits_count hits (hits so far: $hits_so_far) and scroll ID "(summarize_string $scroll_id)
process_page $response
end
echo Done!
最终结果是脚本顶部指定的输出文件中与 Kibana 中的查询匹配的所有日志,根据 process_page 函数中的代码进行转换。
我们最近将集中式日志记录从 Splunk 转移到 ELK 解决方案,我们需要导出搜索结果 - 在 Kibana 4.1 中有没有办法做到这一点?如果有,也不是很明显...
谢谢!
当然,您可以从 Kibana 的 Discover (Kibana 4.x+) 导出。
1. 在发现页面上单击此处的 "up arrow":
- 现在,在页面底部,您将有两个导出搜索结果的选项
在 logz.io(我工作的公司),我们将发布基于特定搜索的预定报告。
只导出时间戳和当时的消息数,不导出日志信息:
原始:
1441240200000,1214 1441251000000,1217 1441261800000,1342 1441272600000,1452 1441283400000,1396 1441294200000,1332 1441305000000,1332 1441315800000,1334 1441326600000,1337 1441337400000,1215 1441348200000,12523 1441359000000,61897
格式化:
"September 3rd 2015, 06:00:00.000","1,214" "September 3rd 2015, 09:00:00.000","1,217" "September 3rd 2015, 12:00:00.000","1,342" "September 3rd 2015, 15:00:00.000","1,452" "September 3rd 2015, 18:00:00.000","1,396" "September 3rd 2015, 21:00:00.000","1,332" "September 4th 2015, 00:00:00.000","1,332" "September 4th 2015, 03:00:00.000","1,334" "September 4th 2015, 06:00:00.000","1,337" "September 4th 2015, 09:00:00.000","1,215" "September 4th 2015, 12:00:00.000","12,523" "September 4th 2015, 15:00:00.000","61,897"
如果你想导出日志(不仅仅是时间戳和计数),你有几个选择(tylerjl 在 Kibana forums 上很好地回答了这个问题):
If you're looking to actually export logs from Elasticsearch, you probably want to save them somewhere, so viewing them in the browser probably isn't the best way to view hundreds or thousands of logs. There are a couple of options here:
In the "Discover" tab, you can click on the arrow tab near the bottom to see the raw request and response. You could click "Request" and use that as a query to ES with curl (or something similar) to query ES for the logs you want.
You could use logstash or stream2es206 to dump out the contents of a index (with possible query parameters to get the specific documents you want.)
如果您在使用 curl 提出自己的请求时遇到问题,或者您不需要自动程序从 Kibana 中提取日志,只需单击 'Response' 并获取您需要的内容。
在使用 curl 时遇到像 'xsrf token missing' 这样的麻烦之后, 我发现这种方式更加简单易行!
正如其他人所说,单击底部附近的箭头选项卡后会出现请求按钮。
这很旧 post。但我认为仍然有人在寻找一个好的答案。
您可以轻松地从 Kibana Discover 中导出您的搜索结果。
先点击保存,然后点击分享
单击 CSV 报告
然后点击生成 CSV
片刻之后,您将在右下角看到下载选项。
这适用于 Kibana v 7.2.0 - 将查询结果导出到本地 JSON 文件。这里我假设你有 Chrome,类似的方法可能适用于 Firefox。
- Chrome - 打开开发者工具/网络
- Kibana - 执行您的查询
- Chrome - 右键单击网络调用并选择 复制/复制为 cURL
- 命令行 - 执行
[cURL from step 3] > query_result.json。查询响应数据现在存储在query_result.json
编辑: 使用 jq 深入到生成的 JSON 文件中的 source 节点:
jq '.responses | .[] | .hits | .hits | .[]._source ' query_result.json
@Sean 的回答是正确的,但缺乏细节。
这是一个快速而简单的脚本,可以通过httpie从ElasticSearch抓取所有日志,通过jq解析并写出,并使用滚动游标迭代查询,以便超过前500个条目可以捕获(与此页面上的其他解决方案不同)。
此脚本是使用 httpie(http 命令)和 fish shell 实现的,但可以很容易地适应更多标准工具,如 bash 和 curl。
根据@Sean 的回答设置查询:
In the "Discover" tab, you can click on the arrow tab near the bottom to see the raw request and response. You could click "Request" and use that as a query to ES with curl (or something similar) to query ES for the logs you want.
set output logs.txt
set query '<paste value from Discover tab here>'
set es_url http://your-es-server:port
set index 'filebeat-*'
function process_page
# You can do anything with each page of results here
# but writing to a TSV file isn't a bad example -- note
# the jq expression here extracts a kubernetes pod name and
# the message field, but can be modified to suit
echo $argv | \
jq -r '.hits.hits[]._source | [.kubernetes.pod.name, .message] | @tsv' \
>> $output
end
function summarize_string
echo (echo $argv | string sub -l 10)"..."(echo $argv | string sub -s -10 -l 10)
end
set response (echo $query | http POST $es_url/$index/_search\?scroll=1m)
set scroll_id (echo $response | jq -r ._scroll_id)
set hits_count (echo $response | jq -r '.hits.hits | length')
set hits_so_far $hits_count
echo "Got initial response with $hits_count hits and scroll ID "(summarize_string $scroll_id)
process_page $response
while test "$hits_count" != "0"
set response (echo "{ \"scroll\": \"1m\", \"scroll_id\": \"$scroll_id\" }" | http POST $es_url/_search/scroll)
set scroll_id (echo $response | jq -r ._scroll_id)
set hits_count (echo $response | jq -r '.hits.hits | length')
set hits_so_far (math $hits_so_far + $hits_count)
echo "Got response with $hits_count hits (hits so far: $hits_so_far) and scroll ID "(summarize_string $scroll_id)
process_page $response
end
echo Done!
最终结果是脚本顶部指定的输出文件中与 Kibana 中的查询匹配的所有日志,根据 process_page 函数中的代码进行转换。