Kibana - Stack Monitoring - No structured logs found

jason_0 · August 12, 2020, 12:18am

sure does.

{
  "filebeat-7.8.0-elasticsearch-server-pipeline-json" : {
    "description" : "Pipeline for parsing the Elasticsearch server log file in JSON format.",
    "on_failure" : [
      {
        "set" : {
          "field" : "error.message",
          "value" : "{{ _ingest.on_failure_message }}"
        }
      }
    ],
    "processors" : [
      {
        "json" : {
          "field" : "message",
          "target_field" : "elasticsearch.server"
        }
      },
      {
        "drop" : {
          "if" : "ctx.elasticsearch.server.type != 'server'"
        }
      },
      {
        "remove" : {
          "field" : "elasticsearch.server.type"
        }
      },
      {
        "dot_expander" : {
          "field" : "service.name",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "field" : "elasticsearch.server.service.name",
          "target_field" : "service.name",
          "ignore_missing" : true
        }
      },
      {
        "rename" : {
          "ignore_missing" : true,
          "field" : "elasticsearch.server.component",
          "target_field" : "elasticsearch.component"
        }
      },
      {
        "dot_expander" : {
          "field" : "cluster.name",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "target_field" : "elasticsearch.cluster.name",
          "field" : "elasticsearch.server.cluster.name"
        }
      },
      {
        "dot_expander" : {
          "field" : "node.name",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "field" : "elasticsearch.server.node.name",
          "target_field" : "elasticsearch.node.name"
        }
      },
      {
        "dot_expander" : {
          "field" : "cluster.uuid",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "ignore_missing" : true,
          "field" : "elasticsearch.server.cluster.uuid",
          "target_field" : "elasticsearch.cluster.uuid"
        }
      },
      {
        "dot_expander" : {
          "field" : "node.id",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "field" : "elasticsearch.server.node.id",
          "target_field" : "elasticsearch.node.id",
          "ignore_missing" : true
        }
      },
      {
        "rename" : {
          "target_field" : "log.level",
          "ignore_missing" : true,
          "field" : "elasticsearch.server.level"
        }
      },
      {
        "dot_expander" : {
          "field" : "log.level",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "target_field" : "log.level",
          "ignore_missing" : true,
          "field" : "elasticsearch.server.log.level"
        }
      },
      {
        "dot_expander" : {
          "field" : "log.logger",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "field" : "elasticsearch.server.log.logger",
          "target_field" : "log.logger",
          "ignore_missing" : true
        }
      },
      {
        "dot_expander" : {
          "field" : "process.thread.name",
          "path" : "elasticsearch.server"
        }
      },
      {
        "rename" : {
          "field" : "elasticsearch.server.process.thread.name",
          "target_field" : "process.thread.name",
          "ignore_missing" : true
        }
      },
      {
        "grok" : {
          "patterns" : [
            "%{GC_ALL}",
            "%{GC_YOUNG}",
            "((\\[%{INDEXNAME:elasticsearch.index.name}\\]|\\[%{INDEXNAME:elasticsearch.index.name}\\/%{DATA:elasticsearch.index.id}\\]))?%{SPACE}%{GREEDYMULTILINE:message}"
          ],
          "field" : "elasticsearch.server.message",
          "pattern_definitions" : {
            "GC_YOUNG" : """\[gc\]\[young\]\[%{NUMBER:elasticsearch.server.gc.young.one}\]\[%{NUMBER:elasticsearch.server.gc.young.two}\]%{SPACE}%{GREEDYMULTILINE:message}""",
            "GREEDYMULTILINE" : """(.|
)*""",
            "INDEXNAME" : "[a-zA-Z0-9_.-]*",
            "GC_ALL" : """\[gc\]\[%{NUMBER:elasticsearch.server.gc.overhead_seq}\] overhead, spent \[%{NUMBER:elasticsearch.server.gc.collection_duration.time:float}%{DATA:elasticsearch.server.gc.collection_duration.unit}\] collecting in the last \[%{NUMBER:elasticsearch.server.gc.observation_duration.time:float}%{DATA:elasticsearch.server.gc.observation_duration.unit}\]"""
          }
        }
      },
      {
        "remove" : {
          "field" : "elasticsearch.server.message"
        }
      },
      {
        "rename" : {
          "field" : "elasticsearch.server.@timestamp",
          "target_field" : "@timestamp",
          "ignore_missing" : true
        }
      },
      {
        "rename" : {
          "target_field" : "@timestamp",
          "ignore_missing" : true,
          "field" : "elasticsearch.server.timestamp"
        }
      },
      {
        "date" : {
          "ignore_failure" : true,
          "field" : "@timestamp",
          "target_field" : "@timestamp",
          "formats" : [
            "ISO8601"
          ]
        }
      }
    ]
  }
}

chrisronline · August 12, 2020, 1:44pm

Hmm.

Try running filebeat in debug mode (-d "processors") and verify you see the appropriate pipeline being applied:

2020-08-12T09:42:05.671-0400	DEBUG	[processors]	processing/processors.go:187	Publish event: {
  "@timestamp": "2020-08-12T13:42:00.670Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "8.0.0",
    "pipeline": "filebeat-8.0.0-elasticsearch-server-pipeline"
  },

Since you are ingesting the .json logs, it should hit this part of that pipeline:

      {
        "pipeline" : {
          "name" : "filebeat-8.0.0-elasticsearch-server-pipeline-json",
          "if" : "ctx.first_char == '{'"
        }
      },

which should trigger the json pipeline.

Let's reverify all these components are in place before debugging more.

Thanks

peterpramb · September 1, 2020, 2:23pm

Just an observation: I had the same issue, with pipelines and everything in place, and it turned out that there were simply no log entries in the selected time range (this is 7.8.1, btw).

Previously Kibana told one to check the selected time range when no log entries were found, but it seems this is gone now and was replaced with the structured log message.

system · September 29, 2020, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana - Stack Monitoring - No structured logs found [2] Kibana elastic-stack-monitoring , painless , ingest-pipeline	3	596	October 2, 2022
Don’t see logs in kibana stack monitoring Kibana elastic-stack-monitoring	22	1708	September 30, 2022
No Structured Logs Found in Stack Monitoring when using Logstash Logstash	7	436	May 9, 2022
Elasticsearch server logs not visible in Kibana Stack monitoring Logs elastic-stack-monitoring	8	2553	November 4, 2022
Don't see logs in kibana stack montoring Kibana	3	908	December 4, 2020

Kibana - Stack Monitoring - No structured logs found

Related topics