I am using Logstash 1.4.1, elasticsearch 1.1.1, kibana 3.1 for analyzing my logs. I get the parsed fields (from log) in Kibana 3.
Now, I have often query on a particular field for many strings. Eg: auth_message is a field and I may have to query for like 20 different strings (all together or separately).
If together:
auth_message: "login failed" OR "user XYZ" OR "authentication failure" OR .........
If separate queries:
auth_message: "login failed"
auth_message: "user XYZ"
auth_message: "authentication failure"
So user cannot remember 20 strings for a field to be searched for. Is there a way to store or present it to user to select the strings he wants to search for.
Can this be done using ELK ?
First, "pin" your query. Meaning that once you have made a query you are statisfied with, click the small colored circle, make the drop-down menu appear and click the "pin" button.
Then in every panel of your interface, go to Configure -> Queries, and in the dropdown list chose which query should be charted in this panel, you can select either all, pinned, unpinned, or select particular queries among the pinned ones and you can save your dashboard with the pinned queries
If I understand correctly, you would like users to be able to select any of your queries or all. I don't see an easy way you could do that but I think that you can save all of your criteria either as a single pinned global query or as multiple pinned separate queries, then configure all of your panels to display only unpinned data, finally have your users reload the whole interface and in case you chose the global query solution: unpin it and edit it to remove unwanted terms, and in case you chose to have a subquery by criteria, unpin every required one.
Alternatively, if some combinations of terms are often needed, you could save one kibana dashboard for each.
Related
I've created a dashboard that has various histograms, aggregations, etc.
Now, I want to export all the items that fed into those. So if 1793 items made it through the filters to end up as the dataset powering that dashboard, I want to export a document containing those 1793 items. The item count is one of the dashboard visulizations, so I know how many items it'd export.
Is there a way to do that export? Or to at least find out the ElasticSearch query that Kibana used that found the underlying items?
The use case here is a non-technical person (but a domain expert in the data) knows enough to add filters on the Kibana dashboard and they eventually get a filter they're happy with and then want to get a dump of those data items.
I am new to Kibana and using it for visualising the data present in Elastic Search.
I am trying to create dynamic dashboard i.e. by using saved search indexes having field values as variable.
What I want
Want to use place holders in the query which can be populated from URL parameters and then search results rendered in dashboard.
So that user can search results by providing some input instead of fixed query.
Can it be done in Kibana? If not, is there any better visualisation tool other than Kibana to serve this purpose.
In the Dashboard View there is actually a searchbar where you can just fire normal Matchqueries and its easy to filter i.e:
Create a table with terms aggregation for one of the fields a user might be interested in.
Click on one of the Terms in the Dashboard
A filter can be seen under the searchbar and all elements in the dashboard will be filtered with it.
If you have line charts users can zoom into the charts to see only information of the zoomed in timeframe
Barcharts are interactive like tables
Play around a bit. Kibana is very powerful you just have to find the right visualizations.
Re: Desktop client
I've tried this every way I can think of. Scenario: you have an inbox with five emails, each from a different person: personA, personB, ... personE. My goal is to write a search query that excludes people and shows the remaining emails.
I can write positive queries like from:personA OR from:personB, and the query returns a mixed bag of emails from personA and personB.
I've written the converse query NOT (from:personA OR from:personB) and the query returns all emails including personA and personB. I've tried variants like NOT from:personA AND NOT from:personB, NOT from:personA OR NOT from:personB and nothing works.
If I reduce the query to exclude only one person, it works as expected. However, if I try to expand scope to exclude more than one it doesn't returned desired results. What am I missing?
If you are using the search box above the Inbox switch to Advanced Find.
http://www.oit.uci.edu/exchange/email/using-advanced-find.php
Select the Advanced Tab, filter by From does not contain. Enter any number of names or name fragments separated by a space.
I want to save search queries from an AJAX autosuggest search textbox. When the user types in a character the search results are immediately shown.
The problem is to decide when a string is considered to be a query. When searching for "Lemon" it's not desirable to log L, Le, Lem, Lemo, Lemon. In this case only Lemon should be saved.
Also, sometimes a misspelled word is also of interest. "Lemmon" would be desirable to save since it would give the website owner valuable feedback about search queries that result in no items, when the user probably was expecting some.
Any ideas?
You cannot programmatically decide, when it is a query, but the user can. You have to take the user-actions and save when he consideres it a real query.
For example:
You display some autosuggest, and the user clicks on it. Now you only save this click as his search query (and maybe what he wrote into the searchbox)
When the user submits the form, you save his query as a "Searchable World" and compare it to your autosuggest list.
You have a Database of useful words, and when he types in one of these, you save this (by a counter?)
You should combine the first 2 Solutions to get a quite intelligent Database, but then you'll get intelligent data!
I have an External List over a products table in our database. I want to be able to build a search form over it via a full text search; in addition to being able to filter down on properties on my initial search.
For example, say I'm looking for DVDs under 10.00 in product DB. I want to be able to have a search box where I enter "DVD OR Movie", but I also want to be able to have a price box where I could enter a max price of 9.99.
My impressions of SP2010 search solutions is that its easy enough to perform a full text search over an EL with Search Services, but at the same time being able to filter down by additional attributes doesn't appear to be possible out of the box. I know with FAST, I can do a full text search; then filter down the results on the result page via each item's properties. However, we're building custom functionality on the results page allowing users to add an item from the search result set to another list; so I can't use Search Services or FAST's results page.
I'm thinking my best bet is CAML; but my readings on the subject lead my to believe CAML doesn't support full text search. I could also try LinqToSharepoint; but that doesn't support full text search either.
Given my circumstances, do I have any other options besides CAML or Linq? Any constructive input is greatly appreciated.
Thanks,
Frank
On solution is to use the FAST FSIS product. This is the full version of FAST. It will require some extra configuration to index the data in the way you want. That version of FAST will allow you to explicitly define your fields.