我正在努力为 Elastic Search 制定正确的 API 搜索调用,该调用将在过去 1 小时内询问我想要的 ipv4address。
第一次尝试:
curl -X GET "localhost:9200/ipaddresses/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"match": {
"ipv4address": {
"query": "50.167.71.25"
}
}
},
"range": {
"@timestamp": {
"gte": "now-1h",
"lt": "now"
}
}
}
'
{"error":{"root_cause":[{"type":"parsing_exception","reason":"[range] 中 START_OBJECT 的未知键。","line":10,"col":12}] ,"type":"parsing_exception","reason":"[range] 中 START_OBJECT 的未知键。","line":10,"col":12},"status":400}
第二次尝试:
curl -X GET "localhost:9200/ipaddresses/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"match": {
"ipv4address": {
"query": "50.167.71.25"
}
}
},
"fields": {
"range": {
"@timestamp": {
"gte": "now-1h",
"lt": …有人可以帮忙吗?我需要修复该错误,以便 S3 中的 CloudTrail 日志可以发送到 Logstash ES 并在 Kibana 中查看。无法弄清楚如何将字段限制提高到更高。我的配置看起来像
input {
s3 {
bucket => "sample-s3bucket"
region => "eu-west-1"
type => "cloudtrail"
codec => cloudtrail {}
sincedb_path => "/tmp/logstash/cloudtrail"
exclude_pattern => "/CloudTrail-Digest/"
interval => 300
}
}
filter {
if [type] == "cloudtrail" {
json {
source => "message"
}
geoip {
source => "sourceIPAddress"
target => "geoip"
add_tag => ["cloudtrail-geoip"]
}
}
}
output {
elasticsearch {
hosts => "coordinate_node:9200"
index => 'cloudtrail-%{+YYYY.MM.dd}'
}
stdout {
codec => …在处理新版本的仪表板时,我需要保持以前的版本不变。所以我需要克隆现有的仪表板并将其保存为带有一些后缀的原始名称 - 例如 v.2。
我知道可以在 Kibana 中克隆仪表板,但它只能克隆仪表板。这意味着将有两个仪表板将共享相同的可视化。
是否也有一种自动方法来克隆可视化并使新的克隆仪表板使用这些克隆的可视化?
我正在使用 ELK 进行监控。几天前它工作正常,突然停止工作。
请帮我解决这个问题。
错误日志:
java.lang.IllegalArgumentException:插件 [ingest-geoip] 是为 Elasticsearch 6.2.4 版构建的,但 6.5.0 版正在 org.elasticsearch.plugins.PluginsService.verifyCompatibility(PluginsService.java:339) ~[elasticsearch-6.5. 0.jar:6.5.0] 在 org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:524) ~[elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch.plugins.PluginsService.loadBundles( PluginsService.java:464) ~[elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch.plugins.PluginsService.(PluginsService.java:156) ~[elasticsearch-6.5.0.jar:6.5.0]在 org.elasticsearch.node.Node.(Node.java:338) ~[elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch.node.Node.(Node.java:265) ~[elasticsearch- 6.5.0.jar:6.5.0] 在 org.elasticsearch.bootstrap。Bootstrap$5.(Bootstrap.java:212) ~[elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.5.0.jar :6.5.0] 在 org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) [elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java: 136) [elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) [elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch。 cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.5.0.jar:6.5.0] 在 org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.5.0] .jar:6.5.0] 在 org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.5.0.jar:6.5.0] 在 org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) [elasticsearch-6.5.0.jar:6.5.0] 在 org. elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) [elasticsearch-6.5.0.jar:6.5.0] [2018-11-15T23:33:31,908][WARN][oebElasticsearchUncaughtExceptionHandler] [97v4l7O] 未捕获异常线程 [main] org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: 插件 [ingest-geoip] 是为 Elasticsearch 6.2.4 版构建的,但 6.5.0 …
我正在尝试使用curl命令创建可视化。我正在使用elasticsearch 6.2.3。我可以在elasticsearch 5.6.8中创建相同的对象。我正在使用此命令
curl -XPUT http://localhost:9200/.kibana/visualization/vis1 -H 'Content-Type: application/json' -d @vis1.json
它显示此错误:
{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Rejecting mapping update to [.kibana] as the final mapping would have more than 1 type: [visualization, doc]"}],"type":"illegal_argument_exception","reason":"Rejecting mapping update to [.kibana] as the final mapping would have more than 1 type: [visualization, doc]"},"status":400}vis1.json的内容:
{
"title": "vis1",
"visState": "{\"title\":\"vis1\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"split\",\"params\":{\"field\":\"UsageEndDate\",\"interval\":\"M\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ProductName.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"4eb9f840-3969-11e8-ae19-552e148747c3\",\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
}
}在elasticearch 5.6.8中工作正常,但在6.2.3中则不能。
提前致谢。