I am not able to find a word which is seprated by (.)


(diksha ) #1

I am new to ELk .I am not able to find a word which is seprated by (.) for example: javax.ejb.duplicatekeyexception
so when i only search duplicatekeyexception . kibana does not show any result , kindly please help me in resolving this issue .


(Christian Stockhaus) #2

the standard text analyzer of elasticsearch will not split on .
to find it you would have to search for the full exception(fieldname:"javax.ejb.duplicatekeyexception")

if you want to search for the single word you would have to include a custom analyzer for the searched field in the index mapping


(diksha ) #3

thanks for the reply sir,
i searched alot about custom analyzer but i didn't get where to write all those put,get api request and how to see its output on kibana .could you please explain me the steps of making an analyzer using elasticsearch , logstash and kibana.


(Christian Stockhaus) #4

The analyzer is only on elasticsearch site and can/must be set for each index.
It can only be set on new indices or in templates for new indices.

  1. create new index with analyzer
    1.1 go to the dev tools in kibana
    1.2 execute th following(replace <indexname>, <type> and <fieldname>:

       PUT <indexname>
       {
           "settings": {
             "analysis": {
               "analyzer": {
                 "point_analyzer": {
                   "type": "pattern",
                   "pattern": "\\.|\\s"
                 }
               }
             }
           },
           "mappings": {
               "<type>": {
                "properties": {
                   "<fieldname>": {
                     "type": "text",
                     "analyzer": "point_analyzer"
                  }
                }
              }
           }
       }
    

    1.3 index a document in the new index

next post template creation for automatic index creation


(Christian Stockhaus) #5

create template for indices that are automatically created

  1. got to dev tools in kibana
  2. execute the following(replace all that is in <>)
PUT _template/<some template name>
{
  "order": 0,
  "template": "<pattern for indexname e.g. elk-*>",
  "settings": {
     "analysis": {
       "analyzer": {
         "point_analyzer": {
           "type": "pattern",
           "pattern": "\\.|\\s"
         }
       }
     }
   },
   "mappings": {
       "<type>": {
        "properties": {
           "<fieldname>": {
             "type": "text",
             "analyzer": "point_analyzer"
          }
        }
      }
   }
}
  1. let logstash create an index with a name in the new index pattern

(diksha ) #6

thanks for the help!
i have completed all the steps but after this also m not able to get the result in kibana.

message:"duplicatekeyexception" i am seraching and still it is not giving any output.


(diksha ) #7

this my logstash.conf file:

input {
file {

path => "xyz/s.log"		

 start_position => "beginning"	
 sincedb_path => "xyz/loginput1.sincedb"
ignore_older => 0

codec => multiline {
pattern => "^\s"
what => "previous"
}
}
}

filter
{
date {
match => ["timestamp" , "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}
}

output {

            stdout {
                    codec => rubydebug 
            }

if "xyz1" in [message] {
email {
to => 'technical@logstash.net'
from => 'monitor@logstash.net'
subject => 'Alert - %{title}'
body => "Tags: %{tags}\n\Content:\n%{message}"
domain => 'mail.logstash.net'
port => 25
}
}
elasticsearch {

		action => "index"
		hosts => "localhost" 
	    
	    index => "logdemo12"
	
		 
   		    
	    
	    }

}


(diksha ) #8

this is what i am exceuting in kibana dev tool:

PUT customindex1
{
"settings": {
"analysis": {
"analyzer": {
"point_analyzer": {
"type": "pattern",
"pattern": "\.|\s"
}
}
}
},
"mappings": {
"dotanlayzer": {
"properties": {
"message": {
"type": "text",
"analyzer": "point_analyzer"
}
}
}
}
}

PUT _template/customtemplate
{
"order": 0,
"template": "logdemo1-*",
"settings": {
"analysis": {
"analyzer": {
"point_analyzer": {
"type": "pattern",
"pattern": "\.|\s"
}
}
}
},
"mappings": {
"dotanlayzer": {
"properties": {
"message": {
"type": "text",
"analyzer": "point_analyzer"
}
}
}
}
}


(Christian Stockhaus) #9

with your current logstash configuration you would have to change the template with the following command (in dev-tool):

PUT _template/customtemplate
{
   "order":0,
   "template":"logdemo12",
   "settings":{
      "analysis":{
         "analyzer":{
            "point_analyzer":{
               "type":"pattern",
               "pattern":"\\.|\\s"
            }
         }
      }
   },
   "mappings":{
      "_default_":{
         "properties":{
            "message":{
               "type":"text",
                "analyzer":"point_analyzer"
             }
          }
      }
   }
}

and

 DELETE logdemo12

than you could try again


(diksha ) #10

Thanks for the help..
I am able to see the results when i use GET method but when i search on kibana UI then it gives me nothing. so for that what i have to do?


(Christian Stockhaus) #11

If you see it with a GET Request to ES and not in Kibana the only thing that comes to mind is the refresh of the configured index in Kibana

  •      Management -> Index Patterns
    
  •      Delete old index pattern
    
  •      Create a new Index Pattern with the new indexname logdemo12
    


(diksha ) #12

I did this also still not working.
steps which i am doing is:

  1. i executed (put/indexname , put/customindex) in dev tool
  2. i executed (put/templatename, put/customtemplate) in dev tool
  3. i ran the logstash.conf file with above configurations.
  4. i searched on kibana and did'nt get the result!

Thanks in advance and sorry for troubling u alot


(Christian Stockhaus) #13

can you post the response to the GET request from Elasticsearch for the document that you get back


(diksha ) #14

{
"took": 114,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 27,
"max_score": 8.557227,
"hits": [
{
"_index": "logdemo12",
"_type": "logs",
"_id": "xbzvzh",
"_score": 8.557227,
"_source": {
"@timestamp": "2017-09-11T06:12:09.251Z",
"message": "[7/25/17 7:49:12:583 CDT] xxxxxxxxxxxxxxxxxxxxx com.xxx.NullPointerException
"@version": "1",
"path": "D:/b.log",
"host": "abcdef"
}
},


(Christian Stockhaus) #15

okay i cann't see any problem why it shouldn't be visible in Kibana
the obvious thing would be that the timeframe in kibana is to short but other than that... :thinking:


(diksha ) #16

What does raw field means?


(diksha ) #17

thanks for the help christian it worked for few of the text not for all :slight_smile:


(Christian Stockhaus) #18

any idea what is the difference between the messages that are shown and the ones that are not shown?

can't think of anything


(diksha ) #19

Now it is working ! after adding this line "pattern": "\.|\s|\:|\_"
Thanks alot Christian :slight_smile: !


(system) #20

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.