Discuss the Elastic Stack

In kibana(KQL), In the message field need to combine two conditions

Elastic Stack Kibana

souji (souji) November 2, 2021, 3:25am 1

Have text message like below in my index

"POST /app/v1/fetch/abcdefgh HTTP/1.1" 404 NR route_not_found - "-" 0 0 0 - “10.0.0.0” “example.xxx.xxx.com" "-" - - 10.10.10.1:80

"POST /app/v1/fetch/abcdefgh HTTP/1.1" 200 route_not_found - "-" 0 0 0 - “10.0.0.0” “example.xxx.xxx.com" "-" - - 10.10.10.1:80

"POST /app/v1/fetch/abcdefgh HTTP/1.1" 200 route_not_found - "-" 0 0 0 - “10.0.0.0” “example.xxx.xxx.com" "-" - - 10.10.10.1:80

How can search from kibana only to get the records for other than 200 means errors and has example keyword

warkolm (Mark Walkom) November 2, 2021, 5:33am 2

Ideally you would be extracting the fields during index time, using an ingest pipeline or similar.
If not, you can try to use a runtime field to pull the events apart and put them in their own fields. But it's likely to be a lot clunkier.

I'm not sure if kql can pull this apart like you want.

souji (souji) November 2, 2021, 12:15pm 3

thank you

system (system) Closed November 30, 2021, 12:15pm 4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.