elasticsearch - Logtrail不显示数据

我有大量的ELK堆栈，以及带有Logtrail的Kibana定制容器。
当我打开它时，我可以在Kibana中看到日志，但是在Logtrail插件中看不到。我总是找不到事件消息。

我的配置看起来像(出于测试目的)

{
    "index_patterns" : [
        {
            "es": {
                "default_index": "logstash-*",
                "allow_url_parameter": false
            },
            "tail_interval_in_seconds": 5,
            "max_buckets": 500,
            "nested_objects" : false,
            "display_timezone": "local",
            "default_time_range_in_days" : 0,
            "max_hosts": 10,
            "display_timestamp_format": "MM-dd HH:mm:ss.fff",
            "fields" : {
                "mapping" : {
                    "timestamp" : "@timestamp",
                    "display_timestamp" : "@timestamp",
                    "hostname" : "message",
                    "program": "message",
                    "message": "message"
                }
            }
        }
    ]
}

我的日志条目在Kibana中可见:

{
  "_index": "logstash-2017.06.27",
  "_type": "logs",
  "_id": "AVzrfuXhrXfjBRR51Pyo",
  "_version": 1,
  "_score": null,
  "_source": {
    "source_host": "10.255.0.5",
    "level": 6,
    "created": "2017-06-27T13:31:01.373596557Z",
    "log_level": "DEBUG",
    "message": "Discovered 3 resources",
    "version": "1.1",
    "call_site": "onResourcesFound:76",
    "command": "java -cp classes:dependency/* Application",
    "tags": [
      "_dateparsefailure"
    ],
    "image_name": "xyz",
    "@timestamp": "2017-06-27T21:39:41.137Z",
    "container_name": "xyz",
    "service": "device-management",
    "host": "Docker-2",
    "@version": "1",
    "tag": "59858d7aa20d",
    "image_id": "sha256:acbccc5b39088ac1b2993e9e9dcd290e7cfa10499ef5eeca9f145d44ccc5571b",
    "container_id": "59858d7aa20dae4bc6220c4ff7366d7bef059d50213e852c3adab2eb8493af08",
    "timestamp": "17-06-27 21:39:41.137"
  },
  "fields": {
    "created": [
      1498570261373
    ],
    "@timestamp": [
      1498599581137
    ]
  },
  "sort": [
    1498599581137
  ]
}

请问问题出在哪里？

最佳答案

我在任何地方的JSON文件中都看不到此行:

 "message_format":"{{{syslog_message}}}"

您应该能够在现有行中使用{fieldname}向其添加字段。

一些引用页:

here和here。

有一次我有自己的自定义message_format设置，但是找不到对页面的引用，该页面向我展示了如何设置格式。

编辑:

而且看起来您需要正确映射字段。以下是我在json文件中的失物招领索引:

{
  "index_patterns" : [
    {
      "es": {
        "default_index": "lnf-*",
        "allow_url_parameter": false
      },
      "tail_interval_in_seconds": 10,
      "es_index_time_offset_in_seconds": 0,
      "display_timezone": "local",
      "display_timestamp_format": "MMM DD HH:mm:ss",
      "max_buckets": 500,
      "default_time_range_in_days" : 0,
      "max_hosts": 100,
      "max_events_to_keep_in_viewer": 5000,
      "fields" : {
        "mapping" : {
            "timestamp" : "@timestamp",
            "display_timestamp" : "@timestamp",
            "hostname" : "logsource",
            "program": "program",
            "message": "message"
        },
        "message_format": "{{{message}}}"
      }
    }
  ]
}

注意，每个字段映射中都有“消息” ...