The custom fields added to the index in Elasticsearch contain useful meta information that give the logs context, and thus the logs can be more easily searchable in that context. It is also easy to include the valueĮxample: It is easy to filter only logs coming from major version 2 and minor version 1, where the bugfix version does not matter, and origin fromAnitaLaptop Note that it is now easy to search upon specific combinations of versions, as well as less and greater than specific versions Repeat the steps of restarting Filebeat and refreshing the Index Pattern to remove the warnings # filebeat.yml - SNIP - # Add the following fields and fields_under_root underneath the path ![]() a combination of logs “fromAnitaLaptop” with a particular version combination because we are adding the version fields in addition to the existing custom field.a combination of major and minor, eg major version 2 and minor version 1.an explicit full version number, eg 2.1.0.These custom fields make it simple to search and aggregate data for Note: would have been more correct as per … and select “equals” and the value should show as a suggestion.Īdd the following fields if the version number is explicitly known for a log file. One way is to type in the new field name in “Search field names” under the index pattern nameĪdd the field, which will show this field as a column in the logs view area.Īnother way is to type the field name in the Discover search bar at the top… The new field should now be easily searchable in Kibana > Discover To do so, ensure there are some new logs entries that have been generated since updating and restarting Filebeat, then Refresh Kibana > Discover to view the latest logs. ![]() It should now be easy to search on logs with this field. Refresh the index pattern by navigating to Management: Stack Management > Kibana: Index Patterns > select the index pattern, Refresh and Confirm Notice there is a warning there is no cached mapping for this field Verify the new field is showing as expected in Kibana > Discover Save the file and restart Filebeat if it was already running In this example, the field with the value fromAnitaLaptop will be added to every indexed document in Elasticsearch coming from /var/log/.log* In filebeat.yml add the fields and fields_under_root as follows below the path for one particular log, in this case the standard /var/log/.log* Verify the new field is easily searchable in Kibana > DiscoverĮdit filebeat.yml to add the custom field for the log file.Refresh the index pattern so the new field is picked up.Verify the new field is showing as expected in Kibana > Discover.Save the file and restart Filebeat if it was already running.Edit filebeat.yml to add the custom field for the log file.Pre-condition: Filebeat is installed on my laptop.The example uses generic logs generated by my laptop ![]() This simplifies searching for logs and creating charts aggregated by a particular version of the app on a particular server, for example if you wish to view logs “fromAnitaLaptop” running version 2.1.0 Step-by-step simple proof of concept example of adding one field to filebeat.yml Once these fields are added to the index they can be used to search and aggregate data based on these properties.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |