Logs module


#1

Hi all,

We have a lot of long multiline logs which are outputting a lot of information like stacktraces, error hints, request body, response body, return codes, etc.
So way to much to be really readable in a single message field. We are currently updating our source logfiles to be json structured, with many fields.

The discovery panel is not comfortably usable for this, because the field payload may have 30 lines, a stacktrace can bekome 100+ lines, etc. Kibana is only showing the first few lines of an of a field, then it is truncating the rest.

We want to use elastics stack to search the log data of many application hosts (big cluster). I have quite a good knowledge of building KPI aggregations and build useful visualizations for monitoring. But in my new project the main usecase will be combine logs from different application cluster nodes and search in them to track down errors in complex multi node, multi log environments.

I updated my dev elastic stack to 6.5.4 and checked out the new logs-module. The view of timestamp and message field looks good, but I need to be able to show the content of one or more fields. And I need to change the fields on runtime via the GUI. Is there any way to do so?

At indexing time I am not able to know, if I need to show the stack trace, the request or response body, or what field ever.

So I need to change it on displaying time.

Is there a way to do it or is it planed to do so?

Thanks, Andreas


(Felix Stürmer) #2

Hi @asp,

in the current version the Logs UI uses a hard-coded heuristic to match a few well-known document structures and falls back to the message or @message fields. There is unfortunately no way to dynamically adjust these rules without building Kibana from source. If that is an option for you I could give you some pointers.

Making this configurable is absolutely something that is on our roadmap, though.