Kibana 连接两个独立事件 [英] Kibana linking two independent events
问题描述
我将 ELK 配置为离线收集数据,日志文件如下所示:
I have ELK configured for collecting data offline, the log files look something like this :
Info 2015-08-15 09:33:37,522 User 3 connected
Info 2015-08-15 10:03:57,592 User 99 connected
Info 2015-08-15 11:42:37,522 User 99 disconnected
Info 2015-08-15 11:49:12,108 User 3 disconnected
我正在寻找的是时间线上的平均连接时间.
What I'm looking for is the average connection time on a time line.
我无法在消息中添加更多信息,特别是我无法在断开连接消息中添加连接时间.
I can't add more information to the messages, specifically i can't add the connection time to the disconnection message.
推荐答案
如果您使用 Logstash 加载 ES,您可以使用 aggregate 过滤器以组合相关的离散日志行.这个想法是注意一个持久事件何时开始(即用户连接),然后在同一用户的 disconnected 事件飞过时结束它:(注意你的 grok 模式可能不同,但原理是一样的)
If you're loading your ES with Logstash, you can use the aggregate filter in order to assemble discrete log lines that are correlated. The idea is to notice when a long-lasting event starts (i.e. User connected) and then end it when the disconnected event for the same user flies by: (note that your grok pattern might differ, but the principle is the same)
filter {
grok {
match => [ "message", "%{LOGLEVEL:loglevel} %{TIMESTAMP_ISO8601:timestamp} %{WORD:entity} %{INT:userid} %{WORD:status}" ]
}
if [status] == "connected" {
aggregate {
task_id => "%{userid}"
code => "map['started'] = event['timestamp']"
map_action => "create"
}
}
if [status] == "disconnected" {
aggregate {
task_id => "%{userid}"
code => "event['duration'] = event['timestamp'] - map['started']"
map_action => "update"
end_of_task => true
timeout => 86400000
}
}
}
您最终会得到一个名为 duration(以毫秒为单位)的附加字段,然后您可以使用它在 Kibana 上绘制以显示平均连接时间.
You'll end up with and additional field called duration (in milliseconds) which you can then use to plot on Kibana for showing the average connection time.
另请注意,我给出了一天的任意超时时间,这可能适合也可能不适合您的情况.随意玩耍.
Also note that I'm giving an arbitrary timeout of one day, which might or might not suit your case. Feel free to play around.
这篇关于Kibana 连接两个独立事件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
