Hello,
I am trying filter the data from kibana elastic using below query. I need output - hain [ like below mentioned,
localhost:3000 10.42.10.112 - hain [01/Nov/2024:18:20:05 +0000]
Kindly help me out.
Below query from "Elasticsearch Query DSL"
{
"bool": {
"must": [
{
"regexp": {
"log": {
"case_insensitive": true,
"flags": "ALL",
"value": " - [a-zA-Z0-9]* [[]"
}
}
}
],
"filter": [
{
"match_phrase": {
"kubernetes.namespace_name": "xoxo-prod"
}
},
{
"match_phrase": {
"kubernetes.container_name.keyword": "xoxo"
}
},
{
"exists": {
"field": "log.keyword"
}
}
],
"should": [],
"must_not": []
}
}
Hi @GopalaKrishnan_Rathi , welcome to our community.
Have you tried?
{
"query": {
"bool": {
"must": [
{
"match_phrase": {
"log": "- hain ["
}
}
],
"filter": [
{
"match_phrase": {
"kubernetes.namespace_name": "xoxo-prod"
}
},
{
"match_phrase": {
"kubernetes.container_name": "xoxo"
}
}
]
}
}
}
1 Like
@Alex_Salgado-Elastic
I have tried with that its working for static value. But i need it in dynamically using regexp. I want the log value contains - [a-zA-Z0-9] [ in this format. hain is one user but in the log i have lots of users. I want to get the record only with - username [
localhost:3000 10.42.10.112 - hain [01/Nov/2024:18:20:05 +0000]
localhost:3000 10.42.10.112 - jhon [01/Nov/2024:18:20:05 +0000]
localhost:3000 10.42.10.112 - test1 [01/Nov/2024:18:20:05 +0000]
localhost:3000 10.42.10.112 - test2 [01/Nov/2024:18:20:05 +0000]
etc.
I need to validate the conditions of contain - username [ or not contain - - [ records only.
gokadroid
November 10, 2024, 12:20am
6
If ip field will always occur before the username, then how about trying like this:
{
"query": {
"bool": {
"must": [
{
"regexp": {
"log": ".* [0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3} - [^\\s]+ \\["
}
}
],
"filter": [
{
"match_phrase": {
"kubernetes.namespace_name": "xoxo-prod"
}
},
{
"match_phrase": {
"kubernetes.container_name": "xoxo"
}
}
]
}
}
}
1 Like
Hello @gokadroid
Its gave null records only.
My data looking like below
Thanks,
