Hello and good time to you all. I receive the following log in Kibana:
64 bytes from 4.2.2.4: icmp_seq=3 ttl=46 time=116 ms
I want to design a dashboard that only displays the value of "time". I was able to easily accomplish this in GrayLog using extractors, but I couldn't figure out how to implement it in Kibana. I would appreciate your guidance on how I can design a dashboard that shows only the value of "time".
Hi Ahmad. How are you ingesting your data into Elasticsearch?
You would probably want to use something like the Dissect plugin for Logstash or the Dissect processor in a pipeline for Elasticsearch.
Thank you for your response. I appreciate your guidance. I'm currently using Filebeat on one server to send logs to Elasticsearch, and I'm using Fleet on another server. I will follow your suggestion and try using the Dissect plugin or processor to extract the "time" value. I will let you know if I successfully resolve my issue and achieve the desired result.
Hi Ahmad. I was thinking about this and it looks like you are logging the output from a ping command? Obviously I'm not aware of your environment, but you might be able to replicate this more easily with the ICMP monitor available via Heartbeat. Heartbeat replicates the ICMP ECHO_REQUEST and has built-in support for extracting the fields for Elasticsearch.
Dear nickpeihl, yes you understood correctly. My log is the output of a ping command. I will try to address the issues you mentioned and will let you know the result.
Hello, good time to you!
I have read the links you sent and created a pipeline from the "Stack Management > Ingest Pipelines" section as follows:
test-PingTime
Processors
[
{
"grok": {
"field": "message",
"patterns": [
"%{NUMBER:bytes} bytes from %{IP:ip_address}: icmp_seq=%{NUMBER:icmp_seq} ttl=%{NUMBER:ttl} time=%{NUMBER:pingtime} ms"
]
}
}
]
Failure processors
[
{
"dissect": {
"field": "message",
"pattern": "%{bytes} bytes from %{ip_address}: icmp_seq=%{icmp_seq} ttl=%{ttl} time=%{pingtime} ms"
}
}
]
I have created patterns for my desired log in both Grok and Dissect formats. Now, how can I design a dashboard only for pingtime that I specified in the pattern?
Hi Ahmad. You should be able to add the name of your pipeline to your Filebeat config. See this example.
Then restart Filebeat and as new logs are ingested they are split into fields in your Elasticsearch index. The field names were specified in your pipeline, (e.g. bytes, ip_address, icmp_seq, ttl, pingtime).
Use a Kibana Data View (or Index Pattern on Kibana <8.0) matching your Elasticsearch index(es). Then you can view the data in Discover and create a visualization by selecting the field and clicking the "Visualize" button.
Once again I want say how much easier this is by using Heartbeat rather than Filebeat. Heartbeat sets up the Elasticsearch index, the ingest pipeline, and it can replicate the ping command so you don't need to parse the output. Heartbeat can even install example visualizations and dashboards in Kibana.
Dear Nickpeihl,
I followed the links you provided but didn't get any results. I am surprised how other engineers work with Kibana. This software is very difficult. I don't want to make things difficult with this software; I just want to design a simple dashboard for the time value in the log. I have seen all the websites and YouTube videos, but I have not seen anyone design a dashboard for a specific value in the log. They are either not interested in doing this or regret using Kibana because it is so complicated. I need your help to introduce me to an article or website that has designed a dashboard for a specific value inside a log in Kibana, except for elastic.co, because I am really frustrated with Kibana.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.