How to take the hostname field in the timelion Kibana

Rocky_RK · May 1, 2019, 5:07am

I'm trying to to get into the timelion visual where i'm trying to get the two queries..

to query the out of memory string
second one not responding

Now, i'm looking if i can get the hostname from the field syslog_hostname , so that i can get the hosts where these two string or search are appearing on.
Like if we can get the top 50 hostnames where these strings appearing ..

Below simple query works fine..

 (.es(index=dpc-syslog*, q="out of memory"),.es(index=dpc-syslog*,q="not responding")).range(0, 100).mvavg(30)

But when i do below that fails to get anything..

(.es(index=dpc-syslog*, q="out of memory"),.es(index=dpc-syslog*,q="syslog_hostname")).range(0, 100).mvavg(30)

below is the Jason DOC which you can see the multiple fields..

Below is my actual data doc looks like, where you can see the syslog_hostname

{
  "_index": "dpc-syslog-2019.05.01",
  "_type": "messages",
  "_id": "5mB_cWoB_bwdGMlgphWu",
  "_version": 1,
  "_score": null,
  "_source": {
    "type": "dpc-syslog",
    "received_at": "2019-05-01T03:45:52.200Z",
    "syslog_timestamp": "Apr 30 20:45:51",
    "syslog_severity": "notice",
    "syslog_facility_code": 1,
    "syslog_pid": "4538",
    "syslog_program": "automount",
    "@timestamp": "2019-05-01T03:45:51.000Z",
    "syslog_hostname": "mydbhost01",
    "syslog_severity_code": 5,
    "syslog_facility": "user-level",
    "syslog_message": "key \"euler\" not found in map source(s)."
  },
  "fields": {
    "@timestamp": [
      "2019-05-01T03:45:51.000Z"
    ],
    "received_at": [
      "2019-05-01T03:45:52.200Z"
    ]
  },
  "sort": [
    1556682351000
  ]
}

Any help/ direction will be much appreciated..

nickpeihl · May 1, 2019, 3:40pm

q="syslog_hostname" is querying the index for a value of "syslog_hostname". It will not return the value of the syslog_hostname field.

You might be able to achieve this by using the split parameter. e.g. .es(index=dpc-syslog*,split=syslog_hostname:5) where 5 is the number of lines to create.

Rocky_RK · May 1, 2019, 4:13pm

Many thanks for the revert @nickpeihl, i'll try that and will revert you back.

Rocky_RK · May 3, 2019, 10:12am

When i do .es(index=sj-syslog*, q="Out of memory") this should show me the searches for the Out of memory from the Index dpc-syslog but it showing wrong as i have only 28 Out of memory count for 12 hours while Timelion show multiple variations.

and

system · May 31, 2019, 10:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.