Parse integer and show in timeline in Kibana

Question

Here is the Kibana UI and I want to parse some Integer in the message. The number in the end of message is the process time for one method and I what to visualize the average process time by hour in Kibana. Is that possible?

I tried some conf in logstash:

filter{
    json{
        source => "message"
    }
    grok {
        match => {
            "message" => "^Finish validate %{NUMBER:cto_validate_time}$"
        }
    }
    grok {
        match => {
            "message" => "^Finish customize %{NUMBER:cto_customize_time}$"
        }
    }

}

It works. But when I create the timechart I can not get the new field.

Are you allowed to modify the mapping? Are you allowed to modify the settings in the elasticsearch.yaml file? What is being used to send the data to Elasticsearch (Logstash, custom app, etc)? Do you need to do it on existing data in the index or just new data added? Do you care about performance? Depending on your answers to these questions, there are several ways to do it. — Lusid, Apr 13 '17 at 08:22
This is a springboot application and I just use "net.logstash.logback.appender.LogstashTcpSocketAppender" to send data to Logstash. I need to do it on existing data if possible. And I dont care about performance. — aisensiy, Apr 14 '17 at 01:45
I dont think i can change elasticsearch setting and I know little about mapping. I suffer the elk document a lot and that's one of the reason to give a question here :-( — aisensiy, Apr 14 '17 at 01:47

Val · Accepted Answer · 2017-04-18T08:56:17.247

1

Since you don't care about performance issues, you may create a scripted field named process_time in your index pattern with the following painless code. What it does is simply take the last numerical value from your message field.

def m = /.*\s(\d+)$/.matcher(doc['message.keyword'].value);
if ( m.matches() ) {
   return m.group(1)
} else {
   return 0
}

Then you can build a chart to show the average process time by hour. Go to the Visualize tab and create a new vertical bar chart. On the Y-Axis you'll create an Average aggregation on the process_time field and on the X-Axis you'll use a Date histogram aggregation on your timestamp field. A sample is shown below:

Note: You also need to add the following line in your elasticsearch.yml file and restart ES:

script.painless.regex.enabled: true

UPDATE

If you want to do it via Logstash you can add the following grok filter

filter{
    grok {
        match => {
            "message" => "^Finish customize in controller %{NUMBER:cto_customize_time}$"
        }
    }
    mutate {
        convert => { "cto_customize_time" => "integer" }
    }
}

edited Apr 18 '17 at 08:56

answered Apr 14 '17 at 05:37

Val

207,596
13
358
360

I tried, it shows `Warning Courier Fetch: 5 of 5 shards failed.` In Kibana – aisensiy Apr 17 '17 at 05:09
I find that I can access the logstash conf is there any method to create the time field in logstash? – aisensiy Apr 17 '17 at 05:29
Let's first solve the error (then we'll look into modifying the Logstash config). Do you have access to the Elasticsearch logs to see what the underlying error is? – Val Apr 17 '17 at 05:52
The trouble is here. It DO NOT show any new error message in log after I create the script field. – aisensiy Apr 17 '17 at 06:05
If you open the developer tools in your browser, what do you see in the JavaScript console? – Val Apr 17 '17 at 06:19
The logstash confi works. But I find that the Visualize shows no right field. – aisensiy Apr 17 '17 at 06:42
You need to refresh your index pattern so it discovers the new field – Val Apr 17 '17 at 06:58
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/141864/discussion-between-aisensiy-and-val). – aisensiy Apr 17 '17 at 09:19
I found that the data type get from logstash is string, which is the reason that I can not create a data histogram. – aisensiy Apr 18 '17 at 08:54
So... the `%{NUMBER:cto_customize_time}` does not make it a NUMBER? – aisensiy Apr 18 '17 at 10:52
No it just looks for a string that contains a number – Val Apr 18 '17 at 10:56

Parse integer and show in timeline in Kibana

1 Answers1