如何做“不存在的地方”?在Kibana / ELK中进行类型过滤? [英] How to do "where not exists" type filtering in Kibana/ELK?
问题描述
我正在使用ELK从我的日志文件中创建仪表板。我有一个日志文件,其中的条目包含一个id值和一个成功 /失败值,显示具有给定id的操作是成功还是失败。每个操作/ ID可以无限次失败,并且最多只能成功一次。在我的Kibana仪表板中,我想显示每个操作ID带有失败值的日志条目的数量,但是我想过滤掉ID存在成功日志条目的情况。即,我只对从未成功的操作感兴趣。
I am using ELK to create dashboards from my log files. I have a log file with entries that contain an id value and a "success"/"failure" value, displaying whether an operation with a given id succeeded or failed. Each operation/id can fail an unlimited number of times and succeed at most once. In my Kibana dashboard I want to display the count of log entries with a "failure" value for each operation id, but I want to filter out cases where a "success" log entry for the id exists. i.e. I am only interested in operations that never succeeded. Any hints for tricks that would achieve this?
推荐答案
在Kibana 5搜索栏中这很容易。只需添加一个过滤器
This is easy in Kibana 5 search bar. Just add a filter
!(_exists_:"your_variable")
您可以切换过滤器或将反向查询写为
you can toggle the filter or write the inverse query as
_exists_:"your_variable"
在Kibana 4和Kibana 3您可以使用现在不推荐使用的查询
In Kibana 4 and Kibana 3 you can use this query which is now deprecated
_missing_:"your_variable"
注意:在Elasticsearch 7.x中,Kibana现在有一个下拉列表在搜索栏中选择KQL或Lucene样式查询。请注意,诸如 _exists_:FIELD 之类的语法是Lucene语法,您需要相应地设置下拉列表。
NOTE: In Elasticsearch 7.x, Kibana now has a pull down to select KQL or Lucene style queries in the search bar. Be mindful that syntax such as _exists_:FIELD is a Lucene syntax and you need to set the pulldown accordingly.
这篇关于如何做“不存在的地方”?在Kibana / ELK中进行类型过滤?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
