Visualize a value over time with data from log

Elastic Stack Kibana
1

Hi!
We have just set up a sample Elastic/Logstash/Kibana server where logs are flying in from a Zuul server.
The only log data I'm interested in right now is these entries:

2017-12-12 12:50:55,456 DEBUG zuul.DependentPipelineManager: window size increased to 14
2017-12-12 12:50:57,097 DEBUG zuul.DependentPipelineManager: window size increased to 16
2017-12-12 12:52:12,069 DEBUG zuul.DependentPipelineManager: window size decreased to 8
2017-12-12 12:52:29,528 DEBUG zuul.DependentPipelineManager: window size decreased to 4

And I want to visualize these values. The problem(s) I have right now is that I do not know how I can extract the number from the log entry. And to be honest I don't know how to visualize it later either.

Anyone in this forum that have an idea how to do this? I'm thinking we have something like following steps:

  • Somehow extract this value from every log row
  • Put this data somewhere
  • Visualize it.

EDIT: The log contains a lot of different data. This is not the only data. The only structure we know for sure about the log (if no stack trace gets in the way) is:
-timestamp- -service- -log message-.

And I want to extract values inside of the "log message".

2

Take a look at logstash. What you need to do is parse your data before you index it in elasticsearch. Logstash will help you do just that. Split your data into multiple fields like datetime, service, type of change, change value. Only then will you be able to visualize this in Kibana.

If you have more questions about how to configure logstash I suggest you ask in the logstash discuss forum.

regards, Peter

3

Logstash is already installed. Also I have used grok to filter timestamp, service and message from each log row into separate fields. However I do not really know if Grok is the right way to go, or if I should use Dissect filter plugin (https://www.elastic.co/guide/en/logstash/current/plugins-filters-dissect.html#plugins-filters-dissect).

When I have searched the web people say that Grok is slow, but on the other hand Dissect seems only suitable for logs that always have the same syntax, e.g: it cannot effectively parse the different content inside the message field. It has to be the same all the time.

4

I would guess grok should be ok (how many records do you index per second ? ) however it would be better to ask in logstash forum and get an experts opinion on what would be the right approach.

5

I think its a couple of hundred log entries/sec. Maybe peaking at 1k.

6

Hi again!
Finally I got some stuff in place. Im now using Grok to parse the window size value into different fields. So in Kibana I can show a nice table with columns "timestamp", "queue", "window size". However I run into problems when trying to visualize it since I can only visualize number of rows where I have "window size increased/decreased to X". I want to visualize the number X. Do you have any idea how I can do that? Is it possible?

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.