Kibana full text search problem

sockaddr_in · August 4, 2017, 1:44am

Continuing the discussion from Kibana full text search:
I have the same question as above. So can anyone tell me how to full text search ？thx!

bhavyarm · August 4, 2017, 1:01pm

Hi,

I am not quite sure if I understand the question. I see that Tyler's answer has all the details about using analyzed field and the tokenizer/tokenfilter. This is something you do in Elasticsearch. Kibana provides the UI for you to search on it.

What problem are you trying to solve? Also which version of ES and Kibana are you on?

Thanks,
Bhavya

sockaddr_in · August 5, 2017, 11:36pm

Hi,
Thanks for your reply! The following is my question：
Env:
Filebeat 5.5.1
Elasticsearch 5.5.1
Logstash 5.5.1
Kibana 5.5.1
OS : Linux 64bit

I use Filebeat as shipper to ship log to logstash, then output to Elasticsearch. Use Kibana as UI to search log.
But it seems that Kibana cannot search what i input in Kibana:
For example, when i search "/admin/em" in the following log sample, the string "/admin/em" cannot be found, but it exists in log indeed. So i am confused!!! The following is my log sample:

03/Aug/2017:00:26:47 -0700|52.9.101.47|GET /admin/email/markedAsRead?uuid=3211755339325447&type=2&tag= HTTP/1.1|200|-|66.102.8.56|Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ggpht.com GoogleImageProxy)|-|chime.me|845|0.018|0.018|172.31.21.87:28080|29917549|1|a2904ffe-29a8-471a-825c-6d03fbe745f8

Here is my logstash config:

input {
beats {
port => 5044
}
}
filter {
ruby {
code => "
event.timestamp.time.localtime
tstamp = event.get('@timestamp').to_i
event.set('date_str', Time.at(tstamp).strftime('%Y-%m-%d'))
"
}
}
output {
if [business] == "nginx" and [type] == "access" {
file{
path => "/home/ec2-user/realtime_log/nginx/nginx-access.%{date_str}"
codec => line { format => "%{message}" }
}
elasticsearch {
action => "index"
hosts => "http://log.a.b.c.com:9200"
index => "nginx-access-%{date_str}"
}
}
}

bhavyarm · August 10, 2017, 8:44pm

Hi,

Am extremely sorry for the delay. I forgot I had to follow up on this.

Can you see your data in discover in Kibana?
Also can you try searching for "/admin/email" ?

Thanks,
Bhavya

sockaddr_in · August 18, 2017, 11:26am

Hello,
Sorry, a long time
The following is log data：

03/Aug/2017:00:26:47 -0700|52.9.101.47|GET /admin/email/markedAsRead?uuid=3211755339325447&type=2&tag= HTTP/1.1|200|-|66.102.8.56|Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ggpht.com GoogleImageProxy)|-|chime.me|845|0.018|0.018|172.31.21.87:28080|29917549|1|a2904ffe-29a8-471a-825c-6d03fbe745f8

If i search for “/admin/email”, that can be searched. And if i search for "/admin/em", that cant be searched, but
it indeed exists in log data.

system · September 15, 2017, 11:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.