I have a typical ELK stack, and am a huge fan of Kibana for analysing structured logs like e.g. Apache access logs. I can draw graphs to my hearts content showing real time performace of our webservers which is awesome.
However it doesn't work so well for reading unstructured logs. These could be logs from anywhere (e.g. /var/log/messages, Tomcats' catalina.out etc), that need to be read more as a traditional log file with a sequential sequence of messages rather than independent events.
Is there anyway within Kibana, or another front end to Elasticsearch, that can do something like the following:
- Use attributes on logs (e.g. filename, hostname, etc) to find a specific log file.
- Scroll back and forwards through this log file as if it was being read in a normal text editor.
- Find and highlight search terms within the file.
- Ideally this search would show all the results, and then you could click each result to drill into the logfile where it was found.
(I've posted this in the "Logstash" forum rather than "Kibana" because I'm interested in any tools that can do this, not just Kibana)
Thanks!
Hello Mark van Rossum,
have you found something useful to achieve scrolling through log files/elasticsearch results?
It turns out, that this is kind of a blocker, which is likely to kick out ELK for our purposes. Our team depends heavily on reading logfiles of different services, distributed on different machines and environments.
Use case/ideal solution would be something like:
Click on an entry in the discover-view, mark several fields which should be used as filter and then click "Show prior 500 events" (and vice versa show next 500 events, using a specific timestamp for order purposes and the marked field-values as filter).
// Would be really really cool if one could ingest JS scripts (on serverside of course) or the like to get custom buttons with functions which would be allowed to use marked fields as arguments
Any ideas how to solve this or how to even get close to this?
Regards,
Andreas Berger
I couldn't find anything so wrote my own Kibana panels which do pretty much
exactly what you describe. It seems strange that there isn't anyway to
simply read a log file using ELK!
I've pushed what I did to https://github.com/markvr/kibana3/tree/local
(note it's on the "local" branch")
This is based on Kibana 3, at some point I'll have to rewrite them to work
with Kibana 4.
Sounds really great, thanks for the share!!
I'll try to build and test it with our current test-environment (no node.js experience yet).
You don't need to build it - I've never even tried. You can just run
Kibana directly from the "src/" folder.
Hi Mark,
i tried to get it running using our existing Elasticsearch data, but unfortunately this attempt failed. I also tried original kibana-3.1.2, which yielded the following hint:
" ... Possibility #2: You are running Elasticsearch 1.4 or higher ..."
At the moment we're using elasticsearch-1.7.3 so this seems to be a blocker, it will take some time to get this run in a test-environment. Not sure if and how we will continue. If we manage to get it working / or continue trying, i'll post you.
Thanks!!