Hi,
I'm using Kibana in a browser to query for some log data that has been fed into Elasticsearch.
I'm not able to get enough help material on usage information for various fields.
For example, what is "host" and what is "agent" and what is host.hostname and agent.hostname.
Also, how do I use the @timestamp in the query. Should it be something like
@timestamp : "12/26/2019" - what are the various options?
Where can I get detailed information on each of these items?
Thanks.
Where is your log data coming from? A good reference may be from the vendor providing the log data.
Is your log data in Elastic Common Schema (ECS)? Here is a link to ECS docs that define some of the fields you are asking about ECS Field Reference | Elastic Common Schema (ECS) Reference [8.11] | Elastic
agent: Agent Fields | Elastic Common Schema (ECS) Reference [8.11] | Elastic
host: Host Fields | Elastic Common Schema (ECS) Reference [8.11] | Elastic
As for @timestamp, checkout out What is the difference between @timestamp and timestamp?
@ fields are usually ones generated by Logstash as metadata ones, @timestamp being the value that the event was processed by Logstash.
Set @timestamp as the Time Filter field name when setting up your Kibana index pattern. This will allow Kibana's timepicker to filter on @timestamp field.
My log data goes into Elasticsearch from log files on different Windows client machines. Elasticsearch is installed with Kibana on a Windows Server machine.
Filebeat is used on the different clients to feed log information into Elasticsearch.
I'm not using Logstash. I was using it earlier, but am bypassing it now, since there is no real need for it in my environment.
So then, I think the log data should be in ECS.
Basically I need good ways to differentiate which log information comes from which client machine. I think host.hostname may be a good differentiator.
So, in my scenario, do you think it is necessary to create different indexes for different client machines? Or just use one filebeat-* ?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
