A_E*_*ric 5 search elasticsearch kibana
我在 Kibana 中有一条日志消息,其中包含以下内容:
org.hibernate.exception.GenericJDBCException: Cannot open connection
at org.springframework.orm.hibernate3.HibernateTransactionManager.doBegin(HibernateTransactionManager.java:597)
不返回结果的实际搜索: log_message: "hibernate3"
如果我搜索“hibernate3”,则不会出现此消息。我正在使用 Elasticsearch 模板并为该字段编制索引,但也希望能够进行不区分大小写的全文搜索。这可能吗?
正在使用的模板:
{
"template": "filebeat-*",
"mappings": {
"mainProgram": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"class_method": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"class_name": {
"type": "text",
"fielddata": "true"
},
"clientip": {
"type": "ip",
"index": "not_analyzed"
},
"count": {
"type": "long"
},
"host": {
"type": "text",
"index": "not_analyzed"
},
"input_type": {
"type": "text",
"index": "not_analyzed"
},
"log_level": {
"type": "text",
"fielddata": "true",
"index": "true"
},
"log_message": {
"type": "text",
"index": "true"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long",
"index": "not_analyzed"
},
"message": {
"type": "text"
},
"offset": {
"type": "long",
"index": "not_analyzed"
},
"query_params": {
"type": "text",
"index": "true"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text",
"index": "not_analyzed"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"version": {
"type": "text"
}
}
},
"access": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "text"
},
"beat": {
"properties": {
"hostname": {
"type": "text"
},
"name": {
"type": "text"
}
}
},
"clientip": {
"type": "ip",
"index": "not_analyzed"
},
"count": {
"type": "long",
"index": "not_analyzed"
},
"host": {
"type": "text",
"index": "true"
},
"input_type": {
"type": "text",
"index": "not_analyzed"
},
"log_timestamp": {
"type": "text"
},
"log_ts": {
"type": "long",
"index": "not_analyzed"
},
"message": {
"type": "text"
},
"offset": {
"type": "long",
"index": "not_analyzed"
},
"query_params": {
"type": "text",
"index": "true"
},
"response_time": {
"type": "long"
},
"sessionid": {
"type": "text",
"index": "true"
},
"source": {
"type": "text",
"index": "not_analyzed"
},
"statuscode": {
"type": "long"
},
"tags": {
"type": "text"
},
"thread": {
"type": "text",
"index": "true"
},
"type": {
"type": "text",
"index": "true"
},
"uripath": {
"type": "text",
"index": "true"
},
"user_account_combo": {
"type": "text",
"index": "true"
},
"verb": {
"type": "text",
"index": "true"
}
}
}
}
}
Kul*_*gar 14
根据您的场景,您正在寻找的是一种分析类型string,它首先分析字符串,然后对其进行索引。文档的引用。
换句话说,将此字段作为全文索引。
因此,请确保您正确映射了必要的字段,以便您能够对文档进行全文搜索。
假设,Kibana如果日志行位于 字段 下message,您可以简单地通过以下方式搜索该单词:
message:"hibernate3"
您可能还想参考此内容Term Based,以确定和之间的差异Full-Text。
编辑
字段的映射log_message如下:
"log_message": {
"type": "string", <- to make it analyzed
"index": "true"
}
还可以尝试进行通配符搜索,如下所示:
{"wildcard":{"log_message":"*.hibernate3.*"}}
oto*_*let 11
在 Kibana 6.4.1 中,我使用“%”作为通配符。
message: %hibernate3%
message: *.hibernate3.*
也有效(请注意,不需要引号)
| 归档时间: |
|
| 查看次数: |
30311 次 |
| 最近记录: |