我有一条消息流经多个系统,每个系统记录消息进入和退出时带有时间戳和uuid messageId.我通过以下方式摄取所有日志:
filebeat --> logstash --> elastic search --> kibana
结果我现在有这些事件:
@timestamp messageId event
May 19th 2016, 02:55:29.003 00e02f2f-32d5-9509-870a-f80e54dc8775 system1Enter
May 19th 2016, 02:55:29.200 00e02f2f-32d5-9509-870a-f80e54dc8775 system1Exit
May 19th 2016, 02:55:29.205 00e02f2f-32d5-9509-870a-f80e54dc8775 system2Enter
May 19th 2016, 02:55:29.453 00e02f2f-32d5-9509-870a-f80e54dc8775 system2Exit
我想在每个系统中生成一个报告(理想情况是堆积条或列):
messageId in1:1->2:in2
00e02f2f-32d5-9509-870a-f80e54dc8775 197:5:248
做这个的最好方式是什么?Logstash过滤器?kibana计算字段?