我正在使用Logstash 1.4.2,并且具有以下conf文件。
我希望在Kibana的左侧“字段”部分中看到“received_at”,“received_from”和“description”的选项,但我没有。
我懂了
我确实在右侧的_source部分看到以下内容...
接收时间:2015-05-11 14:19:40 UTC接收时间:PGP02 descriptionError1!
所以回家了,这些没有出现在“热门字段”列表中吗?
我想过滤右侧,以免在右侧的_source部分中显示每个字段。请原谅编辑块。
input
{
file {
path => "C:/ServerErrlogs/office-log.txt"
start_position => "beginning"
sincedb_path => "c:/tools/logstash-1.4.2/office-log.sincedb"
tags => ["product_qa", "office"]
}
file {
path => "C:/ServerErrlogs/dis-log.txt"
start_position => "beginning"
sincedb_path => "c:/tools/logstash-1.4.2/dis-log.sincedb"
tags => ["product_qa", "dist"]
}
}
filter {
grok {
match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]
match => [ "message", "%{TIMESTAMP_ISO8601:logdate}: %{LOGLEVEL:loglevel} (?<logmessage>.*)" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "logdate", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSSSSSSSS" ]
}
#logdate is now parsed into timestamp, remove original log message too
mutate {
remove_field => ['message', 'logdate' ]
add_field => [ "description", "Error1!" ]
}
}
output {
elasticsearch {
protocol => "http"
host => "0.0.0.x"
}
}
更新:
我已经厌倦了像这样的查询:
标签:数据和日志级别:信息
然后保存此查询,然后重新加载页面。
但我仍然看不到日志级别显示为“热门字段”
最佳答案
如果字段未出现在左侧,则可能是kibana缓存问题。转到“设置”->“索引”,选择索引,然后单击橙色的“刷新”按钮。