Filter message body in elastic search using Kibana

0
votes

I have JSON in Kibana UI containing below information along with other details :--

host.name       abcd

 message        2020-07-29 03:59:19,393 -0700 INFO  [http-nio-8080-exec-2139] abchohfowhofnfnnfnwlnflw 
                CLIENT_ID=MNOPQR xysbxs

I want to filter only the part CLIENT_ID=MNOPQR as search result in Kibana . Basically I want to get all the client_id name on the host abcd .

Is it possible to get the data ?

2
elasticsearchkibanaelasticsearch-query
is MNOPQR xysbxs is complete id or just MNOPQRNarsireddy
MNOPQR is complete idAnand Abhay

2 Answers

0
votes

Kibana’s query language is based on Lucene query syntax. You should be able to filter the host.name field with the exact hostname you're after and wildcard the message similarly to below:

host.name: "abcd" AND message: *CLIENT_ID=MNOPQR*
0
votes

You need to filter for host.name='abcd'

Then using the pipe line processors you can extract the client id like below

POST _ingest/pipeline/_simulate  
{  
  "pipeline": {  
  "description" : "parse multiple patterns",  
  "processors": [   
    {   
      "grok": {     
        "field": "message",  
        "patterns": [ "CLIENT_ID=%{NOTSPACE:client_value}" ]   
           }   
    }   
  ]    
  },   
"docs":[   
  {   
    "_source": {   
      "message": "2020-07-29 03:59:19,393 -0700 INFO [http-nio-8080-exec-2139] abchohfowhofnfnnfnwlnflw CLIENT_ID=MNOPQR xysbxs"    
    }     
  }      
  ]   
}       



And the result is 

{
  "docs" : [
    {
      "doc" : {
        "_index" : "_index",
        "_type" : "_doc",
        "_id" : "_id",
        "_source" : {
          "message" : "2020-07-29 03:59:19,393 -0700 INFO [http-nio-8080-exec-2139] abchohfowhofnfnnfnwlnflw CLIENT_ID=MNOPQR xysbxs",
          "client_value" : "MNOPQR"
        },
        "_ingest" : {
          "timestamp" : "2020-07-29T18:25:29.07763Z"
        }     
      }
    }
  ]
}

enter code here