作者:郭海亮
查看樣例數據
登錄 Kibana
瀏覽器輸入:http://localhost:5601
地址格式為:http://kibana地址:kibana所使用的端口,均為在 kibana.yml 配置文件中定義的。
導入樣例數據
查看樣例數據
在左上方選擇樣例數據的索引,右上方選擇需要查詢的時間範圍,即可看到我們需要的數據,如下:
默認會展示所有字段,當然,也可以在左側欄選擇需要展示的字段,如下:
這些數據也可以以表或者以JSON形式展示,如下:
將鼠標移動到某個字段上,會出現上下的箭頭,此時便可以根據箭頭進行排序,如下:
查看樣例數據圖表
這是系統內置的一些數據圖表方便我們快速瞭解 Kibana。
開發工具 Dev Tools
Dev Tools 是 Kibana 中最常用的功能,點擊導航欄 -> Management -> 開發工具即可使用。
點擊控制檯 -> 設置,可以看到一些字體、換行等設置。
點擊 Grok Debugger 可以進行一些正則調試,與 Logstash 結合解析日誌。
基礎查詢
更加詳細的查詢語法參考:https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html
查看集群支持的選項
GET _cat返回
=^.^=
/_cat/allocation
/_cat/shards
/_cat/shards/{index}
/_cat/master
/_cat/nodes
/_cat/tasks
/_cat/indices
/_cat/indices/{index}
/_cat/segments
/_cat/segments/{index}
/_cat/count
/_cat/count/{index}
/_cat/recovery
/_cat/recovery/{index}
/_cat/health
/_cat/pending_tasks
/_cat/aliases
/_cat/aliases/{alias}
/_cat/thread_pool
/_cat/thread_pool/{thread_pools}
/_cat/plugins
/_cat/fielddata
/_cat/fielddata/{fields}
/_cat/nodeattrs
/_cat/repositories
/_cat/snapshots/{repository}
/_cat/templates
/_cat/ml/anomaly_detectors
/_cat/ml/anomaly_detectors/{job_id}
/_cat/ml/trained_models
/_cat/ml/trained_models/{model_id}
/_cat/ml/datafeeds
/_cat/ml/datafeeds/{datafeed_id}
/_cat/ml/data_frame/analytics
/_cat/ml/data_frame/analytics/{id}
/_cat/transforms
/_cat/transforms/{transform_id}查看節點信息
GET _cat/nodes?v返回
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.0.38 51 99 14 0.12 0.14 0.21 cdhilmrstw - 1619503017001957332
10.0.0.32 47 99 9 0.70 0.28 0.26 cdhilmrstw - 1619503017001957532
10.0.0.41 54 99 14 2.53 1.02 0.66 cdhilmrstw * 1619503017001957432查看 Master 節點信息
GET _cat/master?v返回
id host ip node
V_EuhAkbTS6T80mN3KX0XQ 10.0.0.41 10.0.0.41 1619503017001957432查看所有節點上的熱點線程
GET _nodes/hot_threads返回
::: {1619503017001957332}{26XvIqLSRlC2hEJ7-kAPUw}{9ytH1jFvTxWT8XHKILnWGg}{10.0.0.38}{10.0.0.38:9300}{cdhilmrstw}{ml.machine_memory=1959018496, rack=cvm_33_330001, xpack.installed=true, set=330001, transform.node=true, ip=9.27.21.20, temperature=hot, ml.max_open_jobs=20, region=33}
Hot threads at 2021-05-05T12:44:05.242Z, interval=500ms, busiestThreads=3, ignoreIdleThreads=true:
::: {1619503017001957532}{Chd-cONFTwOTtZ5H-SdnpQ}{UgtOpFLURSa-Otaq5ECJnQ}{10.0.0.32}{10.0.0.32:9300}{cdhilmrstw}{ml.machine_memory=1959018496, rack=cvm_33_330001, xpack.installed=true, set=330001, transform.node=true, ip=9.27.19.91, temperature=hot, ml.max_open_jobs=20, region=33}
Hot threads at 2021-05-05T12:44:05.266Z, interval=500ms, busiestThreads=3, ignoreIdleThreads=true:
::: {1619503017001957432}{V_EuhAkbTS6T80mN3KX0XQ}{VIcWTj5ERsmG_mY5jZSWtg}{10.0.0.41}{10.0.0.41:9300}{cdhilmrstw}{ml.machine_memory=1959018496, rack=cvm_33_330001, xpack.installed=true, set=330001, transform.node=true, ip=9.27.16.243, temperature=hot, ml.max_open_jobs=20, region=33}
Hot threads at 2021-05-05T12:44:05.390Z, interval=500ms, busiestThreads=3, ignoreIdleThreads=true:查看不健康的分片或索引
GET _cluster/allocation/explain?pretty返回
{
"error" : {
"root_cause" : [
{
"type" : "illegal_argument_exception",
"reason" : "unable to find any unassigned shards to explain [ClusterAllocationExplainRequest[useAnyUnassignedShard=true,includeYesDecisions?=false]"
}
],
"type" : "illegal_argument_exception",
"reason" : "unable to find any unassigned shards to explain [ClusterAllocationExplainRequest[useAnyUnassignedShard=true,includeYesDecisions?=false]"
},
"status" : 400
}查看線程池設置
GET _nodes/thread_pool/返回
{
"_nodes" : {
"total" : 3,
"successful" : 3,
"failed" : 0
},
"cluster_name" : "es-gcudgkos",
"nodes" : {
"Chd-cONFTwOTtZ5H-SdnpQ" : {
"name" : "1619503017001957532",
"transport_address" : "10.0.0.32:9300",
"host" : "10.0.0.32",
"ip" : "10.0.0.32",
"version" : "7.10.1",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "27aa98ee709dc860b4bec3994b44ba2e6c8dd73d",
"roles" : [
"data",
"data_cold",
"data_content",
"data_hot",
"data_warm",
"ingest",
"master",
"ml",
"remote_cluster_client",
"transform"
],
......查看集群全部信息
GET _cluster/stats?human&pretty返回
{
"_nodes" : {
"total" : 3,
"successful" : 3,
"failed" : 0
},
"cluster_name" : "es-gcudgkos",
"cluster_uuid" : "UhtpZp9lScapLQIbid4gbw",
"timestamp" : 1620218697400,
"status" : "green",
"indices" : {
"count" : 29,
"shards" : {
"total" : 58,
"primaries" : 29,
"replication" : 1.0,
"index" : {
"shards" : {
"min" : 2,
"max" : 2,
"avg" : 2.0
},
"primaries" : {
"min" : 1,
"max" : 1,
"avg" : 1.0
},
"replication" : {
"min" : 1.0,
"max" : 1.0,
"avg" : 1.0
}
}
},
......查看集群狀態
GET _cluster/health?pretty返回
{
"cluster_name" : "es-gcudgkos",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 29,
"active_shards" : 58,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}獲取所有索引的信息
GET _cat/indices?v&pretty返回
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .monitoring-kibana-7-2021.05.05 6q8JfbKET9WHaIm7cr2psg 1 1 18384 0 8.2mb 3.2mb
green open .monitoring-kibana-7-2021.05.04 mZpqpa90R22C3PSvpv_CnA 1 1 34556 0 10.3mb 5.1mb
green open .monitoring-kibana-7-2021.04.30 W2FAgGZ5TASJHYnoT5ofvg 1 1 34558 0 10.5mb 5.2mb
green open .items-default-000001 Se5hFqb7ThiiNbx8MMNQ3g 1 1 0 0 416b 208b
green open .monitoring-kibana-7-2021.05.03 mRH2eYPUTjOTWk0745d0Sw 1 1 34560 0 10.3mb 5.1mb
green open .monitoring-kibana-7-2021.05.02 G2_RTwVGRyii0pK9YPzp6w 1 1 34556 0 10.3mb 5.1mb
green open .monitoring-kibana-7-2021.05.01 GXj_YZZkSaWezvKDMJBTGA 1 1 34560 0 10.4mb 5.2mb
green open .apm-custom-link b3aD6BJ_TNOTEeDj6i6oDQ 1 1 0 0 416b 208b
green open .kibana_task_manager_1 IwHXIHnOSN6PJNN_kpvWLg 1 1 6 3516 3.5mb 578.2kb
green open logs-index_pattern_placeholder XR4BMRsgQzWgTX8-oXez-A 1 1 0 0 416b 208b
green open .monitoring-es-7-2021.04.29 NK-SLq7BSVaDUTmIl8rQcw 1 1 36357 0 46.1mb 20.7mb
green open .monitoring-kibana-7-2021.04.29 k7IXameTQIygrqKo6jz31w 1 1 34560 0 10.5mb 5.2mb
green open .lists-default-000001 6mx7-p1xSVef1uBunLAGgw 1 1 0 0 416b 208b
green open .apm-agent-configuration XxPQmjjfRQu_Qdl2jwZHxg 1 1 0 0 416b 208b
green open .kibana_1 xXlKVyfsSbSFY2ygRaalRw 1 1 140 61 8.9mb 4.4mb
green open .monitoring-es-7-2021.04.30 ULyYh6fTRdOBAUfvyKK2Kw 1 1 38994 0 43.4mb 21.7mb
green open .security-7 2rEeUg0vT8a6cQv18v73LA 1 1 46 0 306.9kb 106kb
green open .monitoring-es-7-2021.05.01 RrtO4Wp7Taad93D4awHNJg 1 1 41977 0 46.7mb 23.3mb
green open wfe 1UlifJS6Rsu4O8fVxaElGg 1 1 1085 1 16.5mb 8.2mb
green open .kibana-event-log-7.10.1-000001 ny0H9LiiQPuI8AH9zcPkfg 1 1 4 0 23.6kb 11.8kb
green open metrics-index_pattern_placeholder GQWH2XCFSq2gbIqGwgL_XA 1 1 0 0 416b 208b
green open kibana_sample_data_logs COoX4096S0az6IzJ6Mo7MA 1 1 14074 0 18.9mb 9.4mb
green open .async-search NsGrHYxWRK-C0iLvZ7THQQ 1 1 0 0 7.2kb 3.6kb
green open .monitoring-es-7-2021.05.03 xnk57_D-SSeqyW6kwpuSgw 1 1 47673 0 53.2mb 26.6mb
green open .monitoring-es-7-2021.05.02 Jii6AjJbTOmbBpT-zbM5RA 1 1 44778 0 50.2mb 25mb
green open .monitoring-es-7-2021.05.05 YtJgJS-tRSq39a18-oLLyQ 1 1 27816 44548 37.4mb 18.9mb
green open .monitoring-es-7-2021.05.04 j3UnA4odSlOLgT3AlAZMAQ 1 1 52027 0 55.8mb 27.8mb查看集群狀態
- green:所有功能完好;
- yellow:數據是可用的,但存在未被分配的副本;
- red:集群中存在不可用的數據;
GET _cat/health?v返回
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1620218868 12:47:48 es-gcudgkos green 3 3 58 29 0 0 0 0 - 100.0%創建索引 test
- test:索引名;
- pretty:輸出格式良好的JSON響應;
PUT test?pretty返回
{
"acknowledged" : true,
"shards_acknowledged" : true,
"index" : "test"
}查看 test 索引
GET test返回
{
"test" : {
"aliases" : { },
"mappings" : {
"dynamic_templates" : [
{
"message_full" : {
"match" : "message_full",
"mapping" : {
"fields" : {
"keyword" : {
"ignore_above" : 2048,
"type" : "keyword"
}
},
"type" : "text"
}
}
},
{
"message" : {
"match" : "message",
"mapping" : {
"type" : "text"
}
}
},
{
"strings" : {
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
}
]
},
"settings" : {
"index" : {
"routing" : {
"allocation" : {
"include" : {
"_tier_preference" : "data_content"
}
}
},
"refresh_interval" : "10s",
"number_of_shards" : "1",
"translog" : {
"sync_interval" : "5s",
"durability" : "async"
},
"provided_name" : "test",
"max_result_window" : "65536",
"creation_date" : "1620218910183",
"unassigned" : {
"node_left" : {
"delayed_timeout" : "5m"
}
},
"number_of_replicas" : "1",
"uuid" : "Xshcy1IyRemznHzcv3Focw",
"version" : {
"created" : "7100199"
}
}
}
}
}判斷索引 test 是否存在
HEAD test返回
200 - OK打開索引 test
POST test/_open返回
{
"acknowledged" : true,
"shards_acknowledged" : true,
"indices" : {
"test" : {
"closed" : true
}
}
}關閉索引 test
POST test/_close返回
{
"acknowledged" : true,
"shards_acknowledged" : false,
"indices" : { }
}查看索引 test 狀態
GET test/_stats返回
{
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_all" : {
"primaries" : {
"docs" : {
"count" : 0,
"deleted" : 0
},
"store" : {
"size_in_bytes" : 230,
"reserved_in_bytes" : 0
},
"indexing" : {
"index_total" : 0,
"index_time_in_millis" : 0,
"index_current" : 0,
"index_failed" : 0,
"delete_total" : 0,
"delete_time_in_millis" : 0,
"delete_current" : 0,
"noop_update_total" : 0,
"is_throttled" : false,
"throttle_time_in_millis" : 0
},
......刪除索引 test
- 根據索引名稱刪除
DELETE test?pretty- 可以一次刪除多個索引(以逗號間隔)刪除所有索引 _all 或通配符 *
查看索引模板
GET _template #查看所有索引摸板
GET _template/temp* #查看以temp開頭的索引模板
GET _template/template_1,template_2 #查看template_1和template_2索引摸板
GET _template/template_name #查看名稱為template_name的索引摸板刪除索引模板
DELETE _template/template_name返回
Grok Debugger 調試
例一
input
[2020-04-03T16:51:35,918] [DEBUG] [o.e.a.a.c.n.i.TransportNodesInfoAction] [data02-131-211] failed to execute on node [08GhVGGgRCqUE3qAdXf04g] org.elasticsearch.transport.NodeNotConnectedException: [master01-34.5][172.16.34.5:9300] Node not connectedpattern
(?<date>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3})\] \[(?<loglevel>[A-Z \s]{4,5})] \[(?<service>[A-Za-z0-9/.]{4,40})\] \[(?<node>[A-Za-z0-9/-]{4,40})\] (?<msg>.*)result
{
"date": [
[
"2020-04-03T16:51:35,918"
]
],
"loglevel": [
[
"DEBUG"
]
],
"service": [
[
"o.e.a.a.c.n.i.TransportNodesInfoAction"
]
],
"node": [
[
"data02-131-211"
]
],
"msg": [
[
"failed to execute on node [08GhVGGgRCqUE3qAdXf04g] org.elasticsearch.transport.NodeNotConnectedException: [master01-34.5][172.16.34.5:9300] Node not connected"
]
]
}例二
input
[2020-04-03 09:04:20,446][INFO][Thread-16][c.h.jobhandler.ELKTestJobHandlervds.6665][ELKTestJobHandler.java : 32][elkTestJobHandler: 普通日誌輸出測試]pattern
(?<date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})\]\[(?<loglevel>[A-Z]{4,5})\]\[(?<thread>[A-Za-z0-9-/-]{4,40})\]\[(?<class>[A-Za-z0-9/.]{4,40})\]\[(?<msg>.*)result
{
"date": [
[
"2020-04-03 09:04:20,446"
]
],
"loglevel": [
[
"INFO"
]
],
"thread": [
[
"Thread-16"
]
],
"class": [
[
"c.h.jobhandler.ELKTestJobHandlervds.6665"
]
],
"msg": [
[
"ELKTestJobHandler.java : 32][elkTestJobHandler: 普通日誌輸出測試]"
]
]
}例三
input
2018/05/01 16:16:01.892 - OK - 759.2ms - 172.29.1.7:35184[485388]->172.7.1.39:3306[1525162561129639717]:<DB>:select count(*) from test[];pattern
(?<date>\d{4}/\d{2}/\d{2}\s(?<datetime>%{TIME}))\s-\s(?<status>\w{2})\s-\s(?<respond_time>\d+)\.\d+\w{2}\s-\s%{IP:client}:(?<client-port>\d+)\[\d+\]->%{IP:server}:(?<server-port>\d+).*:(?<databases><\w+>):(?<SQL>.*)result
{
"date": [
[
"2018/05/01 16:16:01.892"
]
],
"datetime": [
[
"16:16:01.892"
]
],
"TIME": [
[
"16:16:01.892"
]
],
"HOUR": [
[
"16"
]
],
"MINUTE": [
[
"16"
]
],
"SECOND": [
[
"01.892"
]
],
"status": [
[
"OK"
]
],
"respond_time": [
[
"759"
]
],
"client": [
[
"172.29.1.7"
]
],
"IPV6": [
[
null,
null
]
],
"IPV4": [
[
"172.29.1.7",
"172.7.1.39"
]
],
"client-port": [
[
"35184"
]
],
"server": [
[
"172.7.1.39"
]
],
"server-port": [
[
"3306"
]
],
"databases": [
[
"<DB>"
]
],
"SQL": [
[
"select count(*) from test[];"
]
]
}作圖
以 Nginx 日誌為例,插入數據,生產環境中可以通過 Beats 收集到 Elasticsearch 再作圖
插入 Nginx 日誌測試數據
在 Kibana 的開發工具中執行
POST nginx-access-logs/_bulk
{"index":{"_id":"1"}}
{"log_time":"2020-06-30T18:05:03+08:00","client_ip":"115.159.116.79","method":"POST","http_code":"200","size":"66","usersip":"119.85.16.64, 115.159.116.79","request_uri":"http://qdweb.zksf.com/xfjr-zfb/PhoneQry.do","req_time":"0.016","user_ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/4G Language/zh_CN"}
{"index":{"_id":"2"}}
{"log_time":"2020-06-30T18:05:04+08:00","client_ip":"123.206.205.161","method":"GET","http_code":"200","size":"11133","usersip":"117.136.84.181, 123.206.205.161","request_uri":"http://qdweb.zksf.com/static/wx/dist/htmls/applyCardMoneySuc/mod.js","req_time":"0.000","user_ua":"Mozilla/5.0 (Linux; Android 8.0.0; SM-G9550 Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044704 Mobile Safari/537.36 MMWEBID/1866 MicroMessenger/7.0.4.1420(0x2700043C) Process/tools NetType/4G Language/zh_CN"}
{"index":{"_id":"3"}}
{"log_time":"2020-06-30T18:05:06+08:00","client_ip":"123.206.107.139","method":"POST","http_code":"200","size":"3887","usersip":"117.136.44.137, 123.206.107.139","request_uri":"http://qdweb.zksf.com/xfjr-zfb/custLoanInfoQry.do","req_time":"0.028","user_ua":"Mozilla/5.0 (Linux; Android 8.1.0; PACM00 Build/O11019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044705 Mobile Safari/537.36 MMWEBID/908 MicroMessenger/7.0.4.1420(0x2700043C) Process/tools NetType/4G Language/zh_CN"}
{"index":{"_id":"4"}}
{"log_time":"2020-06-30T18:05:06+08:00","client_ip":"115.159.93.78","method":"POST","http_code":"200","size":"86","usersip":"218.26.54.246, 115.159.93.78","request_uri":"http://qdweb.zksf.com/xfjr-zfb/LoanAntiFraudQry.do","req_time":"0.022","user_ua":"Mozilla/5.0 (Linux; Android 8.1.0; vivo X21A Build/OPM1.171019.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044705 Mobile Safari/537.36 MicroMessenger/6.7.2.1340(0x260702C5) NetType/4G Language/zh_CN"}
{"index":{"_id":"5"}}
{"log_time":"2020-06-30T18:05:31+08:00","client_ip":"123.206.205.161","method":"POST","http_code":"200","size":"110","usersip":"117.84.191.27, 123.206.205.161","request_uri":"http://qdweb.zksf.com/xfjr-zfb/WeixinForOpenId.do","req_time":"0.154","user_ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN"}
{"index":{"_id":"6"}}
{"log_time":"2020-06-30T18:05:32+08:00","client_ip":"123.206.205.161","method":"GET","http_code":"400","size":"2119","usersip":"117.84.191.27, 123.206.205.161","request_uri":"http://qdweb.zksf.com/static/wx/dist/htmls/applyCardMoney/applyCardMoney.html","req_time":"0.000","user_ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN"}
{"index":{"_id":"7"}}
{"log_time":"2020-06-30T18:05:32+08:00","client_ip":"123.206.205.161","method":"POST","http_code":"302","size":"150","usersip":"117.84.191.27, 123.206.205.161","request_uri":"http://qdweb.zksf.com/xfjr-zfb/LoginStatusQry.do","req_time":"0.014","user_ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN"}
{"index":{"_id":"8"}}
{"log_time":"2020-06-30T18:05:32+08:00","client_ip":"111.231.53.89","method":"POST","http_code":"200","size":"174","usersip":"117.136.67.251, 111.231.53.89","request_uri":"http://qdweb.zksf.com/xfjr-zfb/AntiFraudResultQry.do","req_time":"0.027","user_ua":"Mozilla/5.0 (Linux; Android 8.1.0; vivo Y83A Build/O11019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044705 Mobile Safari/537.36 MMWEBID/2371 MicroMessenger/7.0.4.1420(0x2700043C) Process/tools NetType/4G Language/zh_CN"}
{"index":{"_id":"9"}}
{"log_time":"2020-06-30T18:05:32+08:00","client_ip":"123.206.205.161","method":"GET","http_code":"200","size":"1306","usersip":"117.84.191.27, 123.206.205.161","request_uri":"http://qdweb.zksf.com/static/wx/dist/images/emApprove.png","req_time":"0.000","user_ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN"}
{"index":{"_id":"10"}}
{"log_time":"2020-06-30T18:05:32+08:00","client_ip":"122.152.197.50","method":"POST","http_code":"200","size":"110","usersip":"60.119.37.213, 122.152.197.50","request_uri":"http://qdweb.zksf.com/xfjr-zfb/CheckNotice.do","req_time":"0.015","user_ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN"}返回
{
"took" : 612,
"errors" : false,
"items" : [
{
"index" : {
"_index" : "nginx-access-logs",
"_type" : "_doc",
"_id" : "1",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 0,
"_primary_term" : 1,
"status" : 201
}
},
{
"index" : {
"_index" : "nginx-access-logs",
"_type" : "_doc",
"_id" : "6",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 5,
"_primary_term" : 1,
"status" : 201
}
},
{
"index" : {
"_index" : "nginx-access-logs",
"_type" : "_doc",
"_id" : "7",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 6,
"_primary_term" : 1,
"status" : 201
}
},
{
"index" : {
"_index" : "nginx-access-logs",
"_type" : "_doc",
"_id" : "8",
"_version" : 1,
"result" : "created",
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"_seq_no" : 7,
"_primary_term" : 1,
"status" : 201
}
},
......
]
}創建索引
導航 -> Kibana -> Management -> Stack Management -> Index patterns(索引模式)-> Create index patterns(創建索引模式)-> nginx-access-logs -> Next step(下一步) -> log_time -> Create index patterns(創建索引模式)
查看索引字段
根據 Nginx 日誌作圖
狀態碼
導航 -> Kibana -> Visualize -> Create visualization(創建可視化)
Create visualization(創建可視化)
Select a visualization type(選擇可視化類型)-> Pie(餅圖)
Choose a source(選擇數據源)-> nginx-access-logs
Data(數據)-> Metrics(指標)-> Slice size(切片大小)-> Aggregation(聚合)->Count(計數)-> Custom label(定指標籤)-> 狀態碼
Buckets(存儲桶)-> Add(添加)
Split slices(拆分切片)
Aggregation(聚合)-> Terms(詞)-> Field(字段)-> http_code -> Update(更新)
Save(保存)
狀態碼 -> 保存
流量
導航 -> Kibana -> Visualize -> Create visualization(創建可視化)-> Select a visualization type(選擇可視化類型)-> Area(面積圖)-> Choose a source(選擇數據源)-> nginx-access-logs -> Data(數據)-> Y-axis(Y軸)-> Aggregation(聚合)-> Count(計數)-> Custom label(定指標籤)-> 流量 -> Buckets(存儲桶)-> Add(添加)-> X-axis(X軸)-> Aggregation(聚合)-> Date Histogram-> Field(字段)-> log_time -> Minimum interval(最小時間間隔)-> Second(秒)-> Custom label(每秒流量)-> Update(更新)-> Save(保存)-> 網絡流量
客戶端 IP
導航 -> Kibana -> Visualize -> Create visualization(創建可視化)-> Select a visualization type(選擇可視化類型)-> Data Table(數據表)-> Choose a source(選擇數據源)-> nginx-access-logs -> Data(數據)-> Metrics(指標)-> Aggregation(聚合)-> Count(計數)-> Custom label(定指標籤)-> 訪問次數 -> Buckets(存儲桶)-> Add(添加)-> Split rows(拆分行)->Aggregation(聚合)-> Terms(詞)-> Field(字段)-> client_ip -> Custom label(客戶端IP)-> Update(更新)-> Save(保存)-> 客戶端訪問Top
創建 Dashboard
導航 -> Kibana -> Dashboard(儀表盤)
Create dashboard(創建儀表盤)
Add an existing(添加現有)
點擊前面創建的圖表
選擇時間段,由於是假數據,直接選擇 Last 1 year
點擊保存
輸入要保存的名稱 nginx-access-logs 後點擊保存
重新回到儀表盤,然後點擊上面我們保存的 nginx-access-logs 名稱就能看到這個儀表盤了。
Kibana Lens 可視化
導航 -> Kibana -> Visualize -> Create visualization(創建可視化)
Create visualization(創建可視化)
Select a visualization type(選擇可視化類型)-> Lens 可視化
選擇索引 nginx-access-logs -> 選擇時間 Last 1 year
拖動字段http_code到中間
會自動根據此字段生成圖表
可以選擇下方不同的圖表進行展示
也可以在下拉菜單中選擇不同的圖像
圖表也會根據查詢動態變化,比如要查詢 http_code 的值為 200,圖標就會變化為下圖這樣
還可以選擇圖例展示的位置
保存
KQL 查詢
一般查詢
查詢 http_code 的值為 302 的數據
http_code : 302
條件運算符查詢
查詢 http_code 的值是大於等於 400 的數據
http_code > = 400(代碼格式會亂,正確的是> =中間沒有空格)
邏輯運算符查詢
查詢 http_code 的值為大於 200 並且 method 的值是 POST 的數據
http_code > 200 and method : POST
查詢 http_code 的值為大於 200 或者 method 的值是 GET 的數據
http_code > 200 or method : GET
通配符
查詢某個字段的值存在的數據,存在則返回數據,不存在則返回為空
size: *
name: *