{"type":"log","@timestamp":"2019-01-21T08:57:51Z","tags":["status","plugin:elasticsearch@6.5.2","error"],"pid":1,"state":"red","message":"Status changed from yellow to red - Request Timeout after 3000ms","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"} 1. First use oss
FROM docker.elastic.co/elasticsearch/elasticsearch-oss:6.5.2
FROM docker.elastic.co/kibana/kibana-oss:6.5.2
So Not X-pack problem
2. Truly Problem is connect to elasticsearch failed
Even login kibana docker then ping elasticsearch docker that get response. But kibana logs always get this error message.
kibana website message “Kibana server is not ready yet”
Try to get docker elasticsearch ip, change docker kibana.
https://github.com/taskrabbit/elasticsearch-dump
Output elasticsearch->json docker run --rm -ti -u root -v /mnt/sda1/var/lib/docker/volumes/xxxxxxx/_data/data:/tmp taskrabbit/elasticsearch-dump --input=http://192.168.99.101:9200/filebeat-6.5.4-etl-logs --output=/tmp/etl-logs.json --type=mapping docker run --rm -ti -u root -v /mnt/sda1/var/lib/docker/volumes/xxxxxxx/_data/data:/tmp taskrabbit/elasticsearch-dump --input=http://192.168.99.101:9200/filebeat-6.5.4-etl-transactions --output=/tmp/etl-transactions.json --type=mapping docker run --rm -ti -u root -v /mnt/sda1/var/lib/docker/volumes/xxxxxxx/_data/data:/tmp taskrabbit/elasticsearch-dump --input=http://192.168.99.101:9200/filebeat-6.5.4-etl-receipts --output=/tmp/etl-receipts.json --type=mapping docker run --rm -ti -u root -v /mnt/sda1/var/lib/docker/volumes/xxxxxxx/_data/data:/tmp taskrabbit/elasticsearch-dump --input=http://192.168.99.101:9200/filebeat-6.5.4-etl-contracts --output=/tmp/etl-contracts.json --type=mapping docker run --rm -ti -u root -v /mnt/sda1/var/lib/docker/volumes/xxxxxxx/_data/data:/tmp taskrabbit/elasticsearch-dump --input=http://192.168.99.101:9200/filebeat-6.5.4-etl-blocks --output=/tmp/etl-blocks.json --type=mapping docker run --rm -ti -u root -v /mnt/sda1/var/lib/docker/volumes/xxxxxxx/_data/data:/tmp taskrabbit/elasticsearch-dump --input=http://192.
https://coder.tw/?p=7235
https://coder.tw/?p=7238
Kibana Dev Tools
GET _cat GET _cat/indices?v GET _cat/indices?v&s=index GET _cat/segments?v GET /_settings GET /_stats GET /_template GET _cluster/health GET filebeat-6.5.1-2019.01.01 POST filebeat-6.5.1-2019.01.01 PUT filebeat-6.5.1-2019.01.01 DELETE filebeat-6.5.1-2019.01.01 GET filebeat-6.5.1-2019.01.* POST filebeat-6.5.1-2019.01.* PUT filebeat-6.5.1-2019.01.* DELETE filebeat-6.5.1-2019.01.* GET filebeat-6.5.1-2019.01.01/_stats GET filebeat-6.5.1-2019.01.01/_mapping POST /_refresh POST /_cache/clear POST /_flush/synced ?v show column name
Segments Merge https://my.oschina.net/fufangchun/blog/1541156
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-forcemerge.html#forcemerge-multi-index
GET _cat/segments?v POST /filebeat-6.5.1-2019.01.01/_forcemerge?max_num_segments=1&flush=true
https://my.oschina.net/weiweiblog/blog/2989931
https://segmentfault.com/a/1190000002972420
通配符
? 匹配单个字符
* 匹配0到多个字符
kiba?a, el*search
? * 不能用作第一个字符,例如:?text *text
====================
正则
es支持部分正则功能,性能较差
name:/joh?n(ath[oa]n)/
====================
模糊搜索
quikc~ brwn~ foks~
~:在一个单词后面加上~启用模糊搜索,可以搜到一些拼写错误的单词
first~ 这种也能匹配到 frist
还可以设置编辑距离(整数),指定需要多少相似度
cromm~1 会匹配到 from 和 chrome
默认2,越大越接近搜索的原始值,设置为1基本能搜到80%拼写错误的单词
====================
逻辑操作
AND
OR
+:搜索结果中必须包含此项
-:不能含有此项
+apache -jakarta test aaa bbb:结果中必须存在apache,不能有jakarta,剩余部分尽量都匹配到
====================
分组
(jakarta OR apache) AND jakarta
====================
转义特殊字符
+ - = && || > < ! ( ) { } [ ] ^ " ~ * ?
https://www.rosehosting.com/blog/install-and-configure-the-elk-stack-on-ubuntu-16-04/
https://www.elastic.co/guide/en/logstash/current/configuration.html
https://dotblogs.com.tw/supershowwei/2016/05/25/185741
install finish
1、/etc/logstash/conf.d/ put some logstash conf
2、ubuntu have logstash listen error, so nano /etc/logstash/startup.options
LS_USER = root
3、/usr/share/logstash/bin# ./system-install reuse LS_USER for config
注意:
mutate {
add_field => {
“logTime” => “%{+YYYY-MM-dd} %{time}”
}
