elasticsearch 基巴纳。通过匹配来自其他筛选的值筛选记录,elasticsearch,kibana,kql,elasticsearch,Kibana,Kql" /> elasticsearch 基巴纳。通过匹配来自其他筛选的值筛选记录,elasticsearch,kibana,kql,elasticsearch,Kibana,Kql" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch 基巴纳。通过匹配来自其他筛选的值筛选记录

elasticsearch 基巴纳。通过匹配来自其他筛选的值筛选记录

kibana

elasticsearch 基巴纳。通过匹配来自其他筛选的值筛选记录,elasticsearch,kibana,kql,elasticsearch,Kibana,Kql,我在kibana看到这样的消息持续了5秒钟: Date, Message, TraceId Dec 10, 2020 @ 10:49:50.285 New request start http://somehost/path1 7ec708ab153e644f Dec 10, 2020 @ 10:49:51.179 New request end http://somehost/path1 7ec708ab153e644f Dec 10, 2020 @ 10:49:52.285 N

我在kibana看到这样的消息持续了5秒钟:

Date, Message, TraceId

Dec 10, 2020 @ 10:49:50.285 New request start http://somehost/path1   7ec708ab153e644f
Dec 10, 2020 @ 10:49:51.179 New request end http://somehost/path1     7ec708ab153e644f
Dec 10, 2020 @ 10:49:52.285 New request start http://somehost/path2   1e090982aeb026a3
Dec 10, 2020 @ 10:49:54.285 New request start http://somehost/path3   b880dfa9c4fd39ad
Dec 10, 2020 @ 10:49:53.179 New request end http://somehost/path3     b880dfa9c4fd39ad
Dec 10, 2020 @ 10:49:54.349 New request start http://somehost/path4   65184024b220dd0c
我如何筛选记录以仅查看“新请求开始”行,这些行没有通过“traceId”匹配的相应“新请求结束”

例如,对于上面的行,我希望看到结果:

Dec 10, 2020 @ 10:49:52.285 New request start http://somehost/path2   1e090982aeb026a3
Dec 10, 2020 @ 10:49:54.349 New request start http://somehost/path4   65184024b220dd0c
你可以

  • 按traceID分组
  • 仅获取一个按日期排序的结果,或在“消息”字段中使用“开始”筛选1个结果
    • 以下是一些示例:

    {
  "size": 0,
  "aggs": {
    "group_by_trace": {
      "terms": {
        "field": "TraceId.keyword",
        "size": 10,
        "min_doc_count": 2
      },
      "aggs": {
        "startt_request": {
        "top_hits": {
          "sort": [
            {
              "date": {
                "order": "asc"
              }
            }
          ],
          "_source": {
            "includes": [
              "date",
              "message",
              "TraceId"
            ]
          },
          "size": 1
        }
        }
      }
    }
  }
}
    答复如下:

    {
  "aggregations" : {
    "group_by_trace" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "7ec708ab153e644f",
          "doc_count" : 2,
          "startt_request" : {
            "hits" : {
              "total" : {
                "value" : 2,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : "testlog",
                  "_type" : "_doc",
                  "_id" : "SOvlZXYBTUPHNNy0GTa-",
                  "_score" : null,
                  "_source" : {
                    "date" : "Dec 10, 2020 @ 10:49:50.285",
                    "TraceId" : "7ec708ab153e644f",
                    "message" : "New request start http://somehost/path1"
                  },
                  "sort" : [
                    "Dec 10, 2020 @ 10:49:50.285"
                  ]
                }
              ]
            }
          }
        },
        {
          "key" : "b880dfa9c4fd39ad",
          "doc_count" : 2,
          "startt_request" : {
            "hits" : {
              "total" : {
                "value" : 2,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : "testlog",
                  "_type" : "_doc",
                  "_id" : "rqLlZXYBcOugy9Fj5LZp",
                  "_score" : null,
                  "_source" : {
                    "date" : "Dec 10, 2020 @ 10:49:54.285",
                    "TraceId" : "b880dfa9c4fd39ad",
                    "message" : "New request start http://somehost/path3"
                  },
                  "sort" : [
                    "Dec 10, 2020 @ 10:49:54.285"
                  ]
                }
              ]
            }
          }
        }
      ]
    }
  }
}

    {
  "aggregations" : {
    "group_by_trace" : {
      "buckets" : [
        {
          "start_messages" : {
            "buckets" : {
              "start" : {
                "start_request" : {
                  "hits" : {
                    "hits" : [
                      {
                        "_index" : "testlog",
                        "_type" : "_doc",
                        "_id" : "SOvlZXYBTUPHNNy0GTa-",
                        "_score" : 1.0,
                        "_source" : {
                          "date" : "Dec 10, 2020 @ 10:49:50.285",
                          "TraceId" : "7ec708ab153e644f",
                          "message" : "New request start http://somehost/path1"
                        }
                      }
                    ]
                  }
                }
              }
            }
          }
        },
        {
          "start_messages" : {
            "buckets" : {
              "start" : {
                "start_request" : {
                  "hits" : {
                    "hits" : [
                      {
                        "_index" : "testlog",
                        "_type" : "_doc",
                        "_id" : "rqLlZXYBcOugy9Fj5LZp",
                        "_score" : 1.0,
                        "_source" : {
                          "date" : "Dec 10, 2020 @ 10:49:54.285",
                          "TraceId" : "b880dfa9c4fd39ad",
                          "message" : "New request start http://somehost/path3"
                        }
                      }
                    ]
                  }
                }
              }
            }
          }
        }
      ]
    }
  }
}
    或者更好,您可以使用过滤器:

    GET /_search?filter_path=aggregations.group_by_trace.buckets.start_messages.buckets.start.start_request.hits.hits
{
  "size": 0,
  "aggs": {
    "group_by_trace": {
      "terms": {
        "field": "TraceId.keyword",
        "size": 10,
        "min_doc_count": 2
      },
      "aggs": {
        "start_messages": {
          "filters": {
            "filters": {
              "start": {
                "match": {
                  "message": "start"
                }
              }
            }
          },
          "aggs": {
            "start_request": {
              "top_hits": {
                "_source": {
                  "includes": [
                    "date",
                    "message",
                    "TraceId"
                  ]
                },
                "size": 1
              }
            }
          }
        }
      }
    }
  }
}
    答复如下:

    {
  "aggregations" : {
    "group_by_trace" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "7ec708ab153e644f",
          "doc_count" : 2,
          "startt_request" : {
            "hits" : {
              "total" : {
                "value" : 2,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : "testlog",
                  "_type" : "_doc",
                  "_id" : "SOvlZXYBTUPHNNy0GTa-",
                  "_score" : null,
                  "_source" : {
                    "date" : "Dec 10, 2020 @ 10:49:50.285",
                    "TraceId" : "7ec708ab153e644f",
                    "message" : "New request start http://somehost/path1"
                  },
                  "sort" : [
                    "Dec 10, 2020 @ 10:49:50.285"
                  ]
                }
              ]
            }
          }
        },
        {
          "key" : "b880dfa9c4fd39ad",
          "doc_count" : 2,
          "startt_request" : {
            "hits" : {
              "total" : {
                "value" : 2,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : "testlog",
                  "_type" : "_doc",
                  "_id" : "rqLlZXYBcOugy9Fj5LZp",
                  "_score" : null,
                  "_source" : {
                    "date" : "Dec 10, 2020 @ 10:49:54.285",
                    "TraceId" : "b880dfa9c4fd39ad",
                    "message" : "New request start http://somehost/path3"
                  },
                  "sort" : [
                    "Dec 10, 2020 @ 10:49:54.285"
                  ]
                }
              ]
            }
          }
        }
      ]
    }
  }
}

    {
  "aggregations" : {
    "group_by_trace" : {
      "buckets" : [
        {
          "start_messages" : {
            "buckets" : {
              "start" : {
                "start_request" : {
                  "hits" : {
                    "hits" : [
                      {
                        "_index" : "testlog",
                        "_type" : "_doc",
                        "_id" : "SOvlZXYBTUPHNNy0GTa-",
                        "_score" : 1.0,
                        "_source" : {
                          "date" : "Dec 10, 2020 @ 10:49:50.285",
                          "TraceId" : "7ec708ab153e644f",
                          "message" : "New request start http://somehost/path1"
                        }
                      }
                    ]
                  }
                }
              }
            }
          }
        },
        {
          "start_messages" : {
            "buckets" : {
              "start" : {
                "start_request" : {
                  "hits" : {
                    "hits" : [
                      {
                        "_index" : "testlog",
                        "_type" : "_doc",
                        "_id" : "rqLlZXYBcOugy9Fj5LZp",
                        "_score" : 1.0,
                        "_source" : {
                          "date" : "Dec 10, 2020 @ 10:49:54.285",
                          "TraceId" : "b880dfa9c4fd39ad",
                          "message" : "New request start http://somehost/path3"
                        }
                      }
                    ]
                  }
                }
              }
            }
          }
        }
      ]
    }
  }
}