Hi, I am trying to create location based dashboard in kibana. location details are not available in the log message, we have to add a logic to map these. Please help.
Usecase : Each location contains 400 servers, once we click on the location, all 400 servers should be displayed in the dashboard. Winlogbeat is installed in each server and sending logs.
Welcome to our community!
How are you going to figure out the location if there is nothing in the logs to calculate that on?
What is your pipeline, do you have logstash or are you sending your logs directly to elasticsearch?
I had a simular use case a couple of years ago.
You will need something in your messages to identify the location, since your original log message does not have anything like that, you will need to enrich your data or use other information, like the server ip, to find the location.
With winlogbeat you can use the add_fields
processor to add a new field with some information that you can use later, for example you can have a field with the name location_name
and the value myLocation
, but you would need to do this in every winlogbeat.yml
.
You can also use Logstash and the translate
field to map the location based on the server ip, for example.
Something like:
translate {
field => "[field_with_ip_address]"
destination => "[field_to_save_the_location_name_or_coordinates]"
regex => true
dictionary => {
"10.0.*" => "location 1"
"10.1.*" => "location 2"
"10.2.*" => "location 3"
}
fallback => "location not found"
}
In the above example the translate
filter will use regex to match each ip range to a specific location, assuming that the IP address range are different for each location.
In both ways you will need a field with some information that you can map to a location, without knowing more about your deployment there is no way to know which one is better.
Hello, The location details are given separately in a document and expectation is to map it in kibana with winlogbeat servers.
Better you read this to enrich your index from winlogbeat using pipeline:
I suggest put all the servers information into specific index into elasticsearch, then build the enrich policy and pipeline, last but not least, put the pipeline into winlogbeat output.elasticsearch.
Regards,
Fadjar340
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.