- elasticsearch/
elasticsearch Kibana未显示.raw字段的任何值
elasticsearch Kibana未显示.raw字段的任何值
我正在使用kibana 4,它正在显示.raw字段,即字段列表中的result.raw以及result。
我已经检查了elasticsearch索引映射,它们也显示了原始字段。
那么为什么kiban没有显示这些原始字段的任何值呢(从过去15天开始显示,但昨天我在我的logstash配置文件中添加了更多的grok模式,从那时起它就不再显示这些值。现在它也没有显示过去数据的.raw字段值,我添加的模式工作正常,并给出了分析字段值,但没有.raw字段)
curl-XGET'localhost:9200/logstash-2015.09.25?漂亮'
{
“logstash-2015.09.25”:{
“别名”:{},
“映射”:{
“\u默认值”:{
“动态_模板”:[{
“消息字段”:{
“映射”:{
“索引”:“已分析”,
“忽略规范”:正确,
“类型”:“字符串”
},
“匹配”:“消息”,
“匹配映射类型”:“字符串”
}
}, {
“字符串字段”:{
“映射”:{
“索引”:“已分析”,
“忽略规范”:正确,
“类型”:“字符串”,
“字段”:{
“原始”:{
“索引”:“未分析”,
“忽略上面的内容”:256,
“类型”:“字符串”
}
}
},
“匹配”:“*”,
“匹配映射类型”:“字符串”
}
} ],
“_all”:{
“启用”:正确,
“忽略规范”:正确
},
“财产”:{
“@version”:{
“类型”:“字符串”,
“索引”:“未分析”
},
“geoip”:{
“动态”:“真实”,
“财产”:{
“地点”:{
“类型”:“地理点”
}
}
}
}
},
“扫描生产”:{
“动态_模板”:[{
“消息字段”:{
“映射”:{
“索引”:“已分析”,
“忽略规范”:正确,
“类型”:“字符串”
},
“匹配”:“消息”,
“匹配映射类型”:“字符串”
}
}, {
“字符串字段”:{
“映射”:{
“索引”:“已分析”,
“忽略规范”:正确,
“类型”:“字符串”,
“字段”:{
“原始”:{
“索引”:“未分析”,
“忽略上面的内容”:256,
“类型”:“字符串”
}
}
},
“匹配”:“*”,
“匹配映射类型”:“字符串”
}
} ],
“_all”:{
“启用”:正确,
“忽略规范”:正确
},
“财产”:{
“@timestamp”:{
“类型”:“日期”,
“格式”:“dateOptionalTime”
},
“@version”:{
“类型”:“字符串”,
“索引”:“未分析”
},
“命令”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“文件”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“geoip”:{
“动态”:“真实”,
“财产”:{
“地点”:{
“类型”:“地理点”
}
}
},
“主持人”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“id”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“信息”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
}
},
“消息类型”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“抵销”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“收到地址”:{
“类型”:“日期”,
“格式”:“dateOptionalTime”
},
“接收自”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“结果”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“严重性”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
“标签”:{
“类型”:“字符串”,
“准则”:{
“已启用”:false
},
“字段”:{
“原始”:{
“类型”:“字符串”,
“索引”:“未分析”,
“忽略上面的内容”:256
}
}
},
curl -XGET 'localhost:9200/logstash-2015.09.25?pretty'<br><br>
{
"logstash-2015.09.25" : {
"aliases" : { },
"mappings" : {
"_default_" : {
"dynamic_templates" : [ {
"message_field" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string"
},
"match" : "message",
"match_mapping_type" : "string"
}
}, {
"string_fields" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"type" : "string"
}
}
},
"match" : "*",
"match_mapping_type" : "string"
}
} ],
"_all" : {
"enabled" : true,
"omit_norms" : true
},
"properties" : {
"@version" : {
"type" : "string",
"index" : "not_analyzed"
},
"geoip" : {
"dynamic" : "true",
"properties" : {
"location" : {
"type" : "geo_point"
}
}
}
}
},
"scan_production" : {
"dynamic_templates" : [ {
"message_field" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string"
},
"match" : "message",
"match_mapping_type" : "string"
}
}, {
"string_fields" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"type" : "string"
}
}
},
"match" : "*",
"match_mapping_type" : "string"
}
} ],
"_all" : {
"enabled" : true,
"omit_norms" : true
},
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "dateOptionalTime"
},
"@version" : {
"type" : "string",
"index" : "not_analyzed"
},
"command" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"file" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"geoip" : {
"dynamic" : "true",
"properties" : {
"location" : {
"type" : "geo_point"
}
}
},
"host" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"id" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"message" : {
"type" : "string",
"norms" : {
"enabled" : false
}
},
"message_type" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"offset" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"received_at" : {
"type" : "date",
"format" : "dateOptionalTime"
},
"received_from" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"result" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"severity" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"tags" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
"timestamp" : {
"type" : "date",
"format" : "dateOptionalTime"
},
"type" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
}
}
},
"settings" : {
"index" : {
"creation_date" : "1443139268796",
"uuid" : "qJyyA60ZSpGY2CuBfoG8JQ",
"number_of_replicas" : "1",
"number_of_shards" : "5",
"refresh_interval" : "5s",
"version" : {
"created" : "1040599"
}
}
},
"warmers" : { }
}
}
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "scan_production" {
if "LISTING_SCRAPER SUCCESS" in [message]{
grok{
match => { "message" => "(?<severity>[E]|[W]|%{GREEDYDATA})\, +\[(? <timestamp>%{TIMESTAMP_ISO8601}) \#(?<id>%{INT})\] +%{WORD:message_type} \-\- \: (?<command>%{DATA}\:|%{DATA}\:%{NOTSPACE}) %{NOTSPACE:site_name} \location: (?<location_id>%{INT}|%{SPACE}) time\:\ %{BASE10NUM:site_access_time:float}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
mutate {
convert => ["site_access_time", "float"]
}
}
else if "LISTING_CRAWLER SUCCESS site" in [message]{
grok{
match => { "message" => "(?<severity>[E]|[W]|%{GREEDYDATA})\, +\[(?<timestamp>%{TIMESTAMP_ISO8601}) \#(?<id>%{INT})\] +%{WORD:message_type} \-\- \: (?<command>%{DATA}\:|%{DATA}\:%{NOTSPACE}) %{NOTSPACE:site_name} \location: (?<location_id>%{INT}|%{SPACE}) time\:\ %{BASE10NUM:site_access_time:float} items\: %{BASE10NUM:location_iteam:float}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
mutate {
convert => ["site_access_time", "float"]
}
}
else{
grok {
match => { "message" => "(?<severity>[E]|[W]|%{GREEDYDATA})\, +\[(? <timestamp>%{TIMESTAMP_ISO8601}) \#(?<id>%{INT})\] +%{WORD:message_type} \-\- \: (?<command>%{DATA}\:|%{DATA}\:%{NOTSPACE}) %{GREEDYDATA:result}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
}
}
}
output {
elasticsearch { host => localhost
protocol => http
}
stdout { codec => rubydebug }
}