问题描述

我正在使用ELK从我的日志文件中创建仪表板。我有一个日志文件，其中的条目包含一个id值和一个成功 /失败值，显示具有给定id的操作是成功还是失败。每个操作/ ID可以无限次失败，并且最多只能成功一次。在我的Kibana仪表板中，我想显示每个操作ID带有失败值的日志条目的数量，但是我想过滤掉ID存在成功日志条目的情况。即，我只对从未成功的操作感兴趣。

I am using ELK to create dashboards from my log files. I have a log file with entries that contain an id value and a "success"/"failure" value, displaying whether an operation with a given id succeeded or failed. Each operation/id can fail an unlimited number of times and succeed at most once. In my Kibana dashboard I want to display the count of log entries with a "failure" value for each operation id, but I want to filter out cases where a "success" log entry for the id exists. i.e. I am only interested in operations that never succeeded. Any hints for tricks that would achieve this?

推荐答案

在Kibana 5搜索栏中这很容易。只需添加一个过滤器

This is easy in Kibana 5 search bar. Just add a filter

!(_exists_:"your_variable")

您可以切换过滤器或将反向查询写为

you can toggle the filter or write the inverse query as

_exists_:"your_variable"

在Kibana 4和Kibana 3您可以使用现在不推荐使用的查询

In Kibana 4 and Kibana 3 you can use this query which is now deprecated

_missing_:"your_variable"

注意：在Elasticsearch 7.x中，Kibana现在有一个下拉列表在搜索栏中选择KQL或Lucene样式查询。请注意，诸如 _exists_：FIELD 之类的语法是Lucene语法，您需要相应地设置下拉列表。

NOTE: In Elasticsearch 7.x, Kibana now has a pull down to select KQL or Lucene style queries in the search bar. Be mindful that syntax such as _exists_:FIELD is a Lucene syntax and you need to set the pulldown accordingly.

这篇关于如何做“不存在的地方”？在Kibana / ELK中进行类型过滤？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！