Dear community,
Is there some howto available how and which queries i could use to simplify my search? I use a huge amount of log files and would like to simplify my searches on an easy base.
Any help?
This question is too general. What do your logs look like? What fields have you extracted from them? What kind of searches do you want to make? We can tell you how to write queries that match the data you're interested in but we can't tell you what data you're interested in.
Thank you for your reply. How can i tell you how my logs look like? I have centralised postfix, dhcp and secure logs from several servers and have no specific fields extracted from them...just the complete log files are pushed to my ELK server.
I have named all logs according to their server name like "server1-maillog" and "server2-dhcpd" etc. etc. in the logstash-forwarder config file.
I would like to know the query of the following. I want to know which mac address use IP X.X.X.X at a specific time and i want to search in the "server2-dhcpd" log file.
How can i tell you how my logs look like?
Well, you for example could copy/paste a message's JSON representation from Kibana.
I want to know which mac address use IP X.X.X.X at a specific time and i want to search in the "server2-dhcpd" log file.
You'll have to parse those logs with a grok filter in Logstash so that you extract at least the IP address into a separate field. Once that's done a query similar to clientip:X.X.X.X AND type:dhcpd (depending on what names you give the fields) will find the matching entries.