Scenario: Error messages were found (via a Kibana visualization), but the original log file itself has rolled over, and the Errors I'm looking for are gone. I'd like to log a bug and attach a proper log file for the DEV team.
I'd like to know if there is a way to re-build the corresponding filebeat'ed log file, via Kibana search results.
ie, Using Kibana - I can discover by [beat.name], [source] and [the time it occured], and Kibana shows it on the screen - GREAT!
Now, how can I export the messages by timestamp back to a .txt file?
There may be better ways now and in the future I expect Kibana will have a csv export feature on Discover tab.
But for now, this might work for you.
Create a Data Table visualization and keep splitting rows with Terms aggregations on the fields you need in your "log".
When I first split by my @timestamp field I see a count of 7 for some rows of results. That means there were 7 log messages in that millisecond time resolution.
But as I keep splitting rows by other fields (that have more uniqueness), I eventually get the count of each row down to 1.
Then at the bottom of those results are 2 Export links. In Raw output timestamps are like unix time numbers, and in Formatted the timestamps are human-readable.
One problem is that if you have multiple results in 1 millisecond you probably can't get them in the right order (unless there's something else in your data to do the first split on).
And another question is how large to set the size for each of those Terms aggregations. Maybe that depends on how many docs/rows are in the time interval you need to output.
If you get a good output, save the visualization so you don't have to go through all that again.
Let us know if you come up with a better solution.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.