Kibana string manipulation

Elastic Stack Kibana
1

Hello. We are using ELK 7.6.2 stack.

Fields from a particular log file gets displayed nice and proper in Kibana. One of the fields is "message" which in itself contains lot of information. Example from the log is as below:

[Jan 22 10:58:53.188] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094261]} [status: 200, done in 0 ms]**
[Jan 22 11:05:43.959] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094264]} [invoking]**
[Jan 22 11:05:43.959] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094263]} [invoking]**
[Jan 22 11:05:43.960] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094262]} [invoking]**
[Jan 22 11:05:43.961] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094264]} [status: 200, done in 1 ms]**
[Jan 22 11:05:43.961] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094263]} [status: 200, done in 1 ms]**
[Jan 22 11:05:43.961] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094262]} [status: 200, done in 1 ms]**
[Jan 22 11:05:44.031] ~|~ INFO ~|~ [Servlet-abcd123  ] ~|~ resteasyfilter.RestResourceLogging ~|~ - ~|~ **GET /rest/welcome {userId=[abcd123], _=[1611331094265]} [invoking]**

Question is that is it possible to create visualizations based on the content of the message (see bold above) for example based on the userId value (which is abcd123 in this case) or maybe status: 200?

Thanks

2

You can do that using a scripted field (https://www.elastic.co/guide/en/kibana/current/scripted-fields.html), pulling the part you need out of the string.

For better performance it's recommended to do this as part of an Elasticsearch ingest pipeline (e.g. using the grok pipeline processor: https://www.elastic.co/guide/en/elasticsearch/reference/current/grok-processor.html )

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.