如何使一个发现表链接到仪表板或其他地方的另一个发现表? [英] How to make one discover table link to another discover table in Dashboard or elsewhere?
问题描述
我正在使用最新的elasticsearch + kibana + logstash + filebeat 6.4.1来收集和分析Web日志.我的日志列如下:
I'm using elasticsearch + kibana + logstash + filebeat latest 6.4.1 to collect and analyze web logs. The columns of my log are like:
timestamp, http_method, request_uri, http_status, host, user_agent, client_ip, client_port
timestamp, http_method, request_uri, http_status, host, user_agent, client_ip, client_port
我已经配置了ELK以在Kibana中显示我的日志.但是现在我想在会话中查看我的日志.我希望日志行可以按会话进行分组,并显示在Kibana的Discover页中.在我的情况下,具有相同(host, client_ip)的日志行属于同一会话.
I have configured ELK to show my logs in Kibana. But now I want to see my logs in sessions. I hope the log lines can be grouped by session and shown in Kibana's Discover page. In my scenario, the log lines with the same (host, client_ip) belong to the same session.
我希望有这个:
-
会话表
Session table
名称,client_ip,主机
name, client_ip, host
session1,www.google.com,1.2.3.4
session1, www.google.com, 1.2.3.4
session2,www.bing.com,5.6.7.8
session2, www.bing.com, 5.6.7.8
session3,www.google.com,4.3.2.1
session3, www.google.com, 4.3.2.1
当我单击上述会话之一(例如session1)时,可以在下面的第二个表中看到该会话的所有记录:
When I click one of the above session (e.g., session1), I can see all the records of that session in the following 2nd table:
-
日志表
Log table
时间戳,http_method,request_uri,http_status,主机,user_agent,client_ip,client_port
timestamp, http_method, request_uri, http_status, host, user_agent, client_ip, client_port
20181105,21:33:17.773,POST,/index.html,200,www.google.com,chrome 59,1.2.3.4,1234
20181105, 21:33:17.773, POST, /index.html, 200, www.google.com, chrome 59, 1.2.3.4, 1234
20181105,21:33:18.773,POST,/abc.html,200,www.google.com,chrome 59,1.2.3.4,1234
20181105, 21:33:18.773, POST, /abc.html, 200, www.google.com, chrome 59, 1.2.3.4, 1234
20181105,21:33:19.773,POST,/index.html,404,www.google.com,chrome 59,1.2.3.4,5678
20181105, 21:33:19.773, POST, /index.html, 404, www.google.com, chrome 59, 1.2.3.4, 5678
我知道Elasticsearch进行平面索引,在文档之间建立层次结构并不容易.我可以为上述两个表创建单独的索引.我知道仪表板可以同时显示两个Discover表.但是我的问题是:
I know Elasticsearch does flat indexing, it's not easy to have hierarchy between documents. I'm OK to create separated indices for the above two tables. I know Dashboard can show two Discover tables at the same time. But my question is:
如何链接这两个表?当我单击会话"表中的一项时,日志"表将显示相应的内容吗?
还是有其他方法可以满足我的要求(在Kibana中轻松查看基于会话的日志)?谢谢.
Or is there any other way to fulfill my requirement (view session-based logs easily in Kibana)? Thanks.
更新
Log表的索引包含会话字段,该字段可以是session1,session2等.这两个索引都在我的控制之下.因此,我可以根据需要添加任何字段.
The index for Log table contains the session field, which can be session1, session2, etc. Both indices are under my control. So I can add any field if needed.
推荐答案
我要做的是在日志表中添加一个session字段,其中包含与每个日志行的会话表中相同的会话名.那将是您的连接密钥".
What I would do is to add a session field in the log table containing the same session name as in the session table for each log line. That's going to be your "join key".
然后,您可以创建一个sessions索引和另一个logs索引.两个索引都必须具有该session字段.然后进入Kibana,可以为每个索引创建一个索引模式.
Then, you can create one sessions index and another logs index. Both indexes must have that session field. Then go in Kibana and can create one index-pattern for each index.
接下来,转到发现"选项卡,并为每个索引模式创建一个保存的搜索,现在您应该有一个名为日志"的保存搜索,以及另一个名为会话"的保存搜索.
Next, go to the Discover tab and create one saved search per index pattern, you now should have a saved search named "Logs" and another one named "Sessions".
最后,转到仪表板"选项卡,并添加您先前创建的两个保存的搜索.在下面的屏幕截图中,您可以看到,将鼠标悬停在会话字段上时,可以按该字段进行过滤.如果您点击(例如)session2,则两个表都将被相应地过滤,从而实现您所需要的.
Finally, head to the Dashboard tab and add the two saved searches you created previously. On the screenshot below, you can see that when hovering over the session field you can filter by that field. If you click on (e.g.) session2, then both tables will be filtered accordingly, thus achieving what you need.
这篇关于如何使一个发现表链接到仪表板或其他地方的另一个发现表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
