Kibana search problem - not finding string

dmccuk · August 23, 2018, 11:25am

Hi,

I'm trying to search for a string in Kibana. It's a metricbeat field called: system.process.cmdline

It's lists out a long Java line like below but fails to find my sting (but finds others). It's driving me a bit potty.

This is the string:

"cmdline": "java -Dname=process01 -Dlogback.configurationFile=/file/system/path/process01.1234/bin/../config/DEV/PRS/logback.xml -server -showversion -d64 -Xms512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:G1MixedGCLiveThresholdPercent=70 -XX:InitiatingHeapOccupancyPercent=70 ..."

I just want to search on - "-Dname" and extract the "process01" name

This search string works:

system.process.name : java AND system.process.cmdline : *Djava* AND  beat.hostname:server01

But this doesn't bring back any results even though i can see it in the sting.

system.process.name : java AND system.process.cmdline : *Dname* AND  beat.hostname:server01

It's a long shot but I'm hoping that this can be explained and I need to add an additional value to my metricbeat.yml to get data out. It's just confusing because I can see dname in the string so it may be something else.

Thanks you in advance for any help you can offer.

Regards

Dennis

Marius_Dragomir · August 24, 2018, 10:22am

Hello,

Looks like it's a problem stemming from the fact that the field can get over 1024 characters. And in the metricbeat index template, the parameter ignore_above is set for 1024, making that document not indexed, which in turn means not-searchable.
https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-above.html

How you can fix this?
You could edit the template of your metricbeat index and set a larger value for ignore_above.
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

TheCodingKnight · August 24, 2018, 11:32am

How do you go about extracting just a part of the string from the result above?

dmccuk · August 30, 2018, 9:39am

Thanks for your reply @Marius_Dragomir.

You are right, checking the largest document, it was over 27,000 characters which is too big to make searchable in ES. For this reason i switched from metricbeat direct to ES, and instead used filebeat to send over the metricbeat log to logstash.

Slightly more work than i was planning on doing but I now have alot more control over my data. If anyone is interested, this is the regex i used to pull out the field of interest in logstash:

filter {
  json {
    source => "message"
  }
  grok {
    match => { "[system][process][cmdline]" => ".*\s-Dname=%{WORD:system.process.appname}\s.*" }
  }
}

Thanks.

system · September 27, 2018, 9:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.