Elasticsearch+logstash+kibana Configuration
There are a lot of articles about the installation of Elasticsearch+logstash+kibana, which is not repeated here, only some of the more detailed content.
Considerations for installing in AWS EC2
- 9200,9300,5601 Port to remember to open
- Elasticsearch address do not write external IP, otherwise it will be a waste of data, write internal IP
"ip-10-160-94-102.ap-northeast-1.compute.internal"9200"elasticsearch"protocol => http}
What are the pattern of grok?
Here are all the lists;
It is worth mentioning that quotedstring and greedydata are more useful when the text content is more easy to use pattern;
Grok Debugger is a great tool to use;
How do I lose the logs I don't need?
Online has said with grep filter, but on the one hand grep is not the official plugin (but logstash-contrib inside), another version seems to have no. So I ended up using only the IF statement and the Grok.
The basic logic is
- Add a tag to each match
- Before the end to determine whether there is a useful tag exists
if! ("Taga" in [tags] or "TAGB" in [tags]) {
Drop {}
}
Why is the value of an index not sum/average, and why is my field not a number type but a string?
Grok's documentation is very misleading,%{number:myfield} means only using regular expressions of numbers to match, while matching results grok are indexed by the type of string.
If you want to specify the type of index, it is also possible to write%{number:myfield:int},:float.
If the index of a field is already a string, it would be possible to change it to an int using the Elasticsearch mapping API, but I did not succeed. My last success was to erase the previous index and redo it.
$ Curl-xdelete ' http://localhost:9200/twitter/'
How to make visualization?
A lot of things I do not understand, have the energy to look at the document written by God, simple to say some basic principles and tips:
- "Split" is equivalent to group by
- "Search" was created in "discover".
- Terms after selection, size 0 means no Limit
- After terms is selected, you can qualify this field with include or exclude, which is equivalent to where
Finally, a final one another was posted and three days were made:
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Elasticsearch+logstash+kibana Configuration