I'm currently evaluating using ES and logstash as a central log management.
Aside from storing logs in ES, I will need to do some querying and reports
as well. This is where I get into troubles, because I'm not sure how to
solve the following problem.
I have a service, where a certain user logs in via web page. That login is
logged in apache log. Login is then further forwarded to Radius server(logs
to his log file) and from there, to LDAP server, which also logs to his own
file. I would like to extract information(last log line) for a certain user
to figure out, where the login failed(http,radius or ldap). This would be a
script for helpdesk, to quickly check where login stopped and investigate
further.
In SQL database, I could just link(=) fields in database and get a match.
Something like
SELECT httpd.username, httpd.full_log_message, radius.full_log_message,
ldap.full_log_message
FROM httpd,radius,ldap
WHERE httpd.login = radius.login AND radius.login = ldap.login
LIMIT 1
Can I achieve that in elasticsearch?
How is that called in elasticsearch?
Can someone provide an example or link to it?
You cannot join documents in Lucene/Elasticsearch (at least not like a
RDBMS). You would need to either denormalize your data, join on the client
side or execute 2+ queries.
On Fri, Sep 12, 2014 at 10:55 AM, Ivan Brusic ivan@brusic.com wrote:
You cannot join documents in Lucene/Elasticsearch (at least not like a
RDBMS). You would need to either denormalize your data, join on the client
side or execute 2+ queries.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.