使用RegEx查询Kibana中的字段 [英] Query fields in Kibana with RegEx
问题描述
我需要在Kibana日志中搜索具有特定内容的字段.该字段为消息",看起来像这样:
I need to search in Kibana Logs for fields with a specific content. The field is "message", that looks like this:
11.111.72.58--[26/Nov/2020:08:44:23 +0000]" GET/images/image.jpg HTTP/1.1" 200 123456" https://website.com/questionnaire/uuid/result" "Mozilla/5.0(Macintosh; Intel Mac OS X 10_15_7)AppleWebKit/605.1.14(KHTML,例如Gecko)版本/14.0.1 Safari/605.1.14" "5.158.163.231"
11.111.72.58 - - [26/Nov/2020:08:44:23 +0000] "GET /images/image.jpg HTTP/1.1" 200 123456 "https://website.com/questionnaire/uuid/result" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.14 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.14" "5.158.163.231"
该字段包含URI,例如此处"https://website.com/questionnaire/uuid/result".如何在该字段中搜索特定的URI? 我需要获取所有日志,其中消息"字段为包含"https://website.com/questionnaire/someUUID*/result" 或URI确切为"https://website.com/"
This field contains URIs, for example here "https://website.com/questionnaire/uuid/result". How can I search for specific URIs in that field? I need to get all Logs, where the field "message" contains "https://website.com/questionnaire/someUUID*/result" or where the URI is exactly "https://website.com/"
我尝试过使用Lucene:
I've tried with Lucene:
消息:/https://.+/result/
message:/https://.+/result/
没有找到
消息:https.* \结果
message:https.*\result
找到开头带有"https:"的
URI,但也返回没有"result"结果的URI.最后
URIs with "https: at the beginning found, but also returns URIs without "result" at the end
消息:"https://website.com/questionnaire" AND消息:结果"
message : "https://website.com/questionnaire" AND message : "result"
这是可行的,但是如果结果"为0,这也将可行.不会与URI相关,而只是在消息"字段的末尾单独停留.而且,我需要一些可以真正查询"之间的URI的东西. ". 稍后,我需要使用Kibana可视化每个URI的请求量.所以我认为我需要使用Lucene或Query DSL. 有什么想法吗?
This works, but this would also work, if "result" would not be related to the URI, but would just stay alone at the end of the "message"-field. And I need something, that would really query those URIs between " ". I need to visualise the amount of requests for each URI with Kibana later. So I think I need to use Lucene or Query DSL. Any ideas?
推荐答案
If you declare your message field as wildcard like this:
PUT test
{
"mappings": {
"properties": {
"message": {
"type": "wildcard"
}
}
}
}
然后索引您的文档
PUT test/_doc/1
{
"message": """11.111.72.58 - - [26/Nov/2020:08:44:23 +0000] "GET /images/image.jpg HTTP/1.1" 200 123456 "https://website.com/questionnaire/uuid/result" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.14 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.14" "5.158.163.231"
"""
}
然后,您可以运行 wildcard搜索(即使使用
You can then run wildcard searches (even with leading wildcards which are discouraged to run on normal keyword fields) and find your document easily.
GET test/_search
{
"query": {
"wildcard": {
"message": {
"value": "*https*uuid*"
}
}
}
}
这篇关于使用RegEx查询Kibana中的字段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
