本文介绍了如何在Elasticsearch中定义索引模式,并利用Kibana进行数据发现,包括创建索引模式、搜索数据、窄化显示结果以及构建关键词搜索等关键步骤。
Each set of data loaded to Elasticsearch has an index pattern. In the previous section, the Shakespeare data set has an index named shakespeare, and the accounts data set has an index named bank. An index pattern is a string with optional wildcards that can match multiple indices. For example, in the common logging use case, a typical index name contains the date in MM-DD-YYYY format, and an index pattern for May would look something like logstash-2015.05*.
每个加载到ES的数据集都有一个索引模式。在前一部分,莎士比亚数据集有一个叫“莎士比亚”的索引名,而且,计数数据集用一个索引名叫“bank”。索引模式是一个包含可选通配符的字符串,它可以匹配多种索引。例如,在通常的日志使用案例中,一个典型的索引名包括MM-DD-YYYY 格式的日期,而且五月的索引模式看起来像是logstash-2015.05。
For this tutorial, any pattern that matches the name of an index we’ve loaded will work. Open a browser and navigate to localhost:5601. Click the Settings tab, then the Indices tab. Click Add New to define a new index pattern. Two of the sample data sets, the Shakespeare plays and the financial accounts, don’t contain time-series data. Make sure the Index contains time-based events box is unchecked when you create index patterns for these data sets. Specify shakes* as the index pattern for the Shakespeare data set and click Create to define the index pattern, then define a second index pattern named ba*.
在这篇教程中,任何满足我们加载的满足索引名字的模式都将产生作用。打开浏览器,访问localhost:5601。点击‘Settings’按钮,然后是‘Indices’按钮。点击‘Add New’来定义一个新模式。两个数据集中的简单例子,莎士比亚剧本和财务记账,并没有包含时间序列的数据。当你为数据集创建索引模式时,确保‘Index contains time-based events’的使用未受限。为莎士比亚数据集,指定‘shake*’作为索引模式,然后点击‘Create’来定义索引模式,最后定义一个名字是‘ba*’的二级索引模式。
The Logstash data set does contain time-series data, so after clicking Add New to define the index for this data set, make sure the Index contains time-based events box is checked and select the @timestamp field from the Time-field name drop-down.
Logstash数据集包含时间序列的数据,所以,在点击‘Add New’来为数据集定义索引之后,确保‘Index contains time-based events’栏是封闭的,从’Time-field name‘下拉列表选择@timestamp字段。
Discovering Your Data
Discover你的数据
Click the Discover tab to display Kibana’s data discovery functions:
点击’Discover‘键来展示Kibana数据的发现功能。
Right under the tab itself, there is a search box where you can search your data. Searches take a specificquery syntax that enable you to create custom searches, which you can save and load by clicking the buttons to the right of the search box.
在’Discover‘标签的正下方,有一个搜索栏,你在那里可以搜索数据。搜索使用了一种特殊的请求语法,来保证你能创建普通搜索,你可以通过点击搜索栏右边的按钮来保存和加载。
Beneath the search box, the current index pattern is displayed in a drop-down. You can change the index pattern by selecting a different pattern from the drop-down selector.
在搜索栏下方,现在的搜索模式被展现在下拉菜单。你可以从下拉选择器中,选择一个不同的模式,来改变搜索模式。
You can construct searches by using the field names and the values you’re interested in. With numeric fields you can use comparison operators such as greater than (>), less than (<), or equals (=). You can link elements with the logical operators AND, OR, and NOT, all in uppercase.
你可以使用你感兴趣的字段名和值来构建搜索。对于数据字段,你可以使用’>‘,'<'或’=‘。你可以使用键盘上的逻辑操作’AND‘,’OR‘和’NOT‘来连接元素。
Try selecting the ba* index pattern and putting the following search into the search box:
试着选择’ba*‘索引模式,把下面的内容放在索引栏:
account_number:<100 AND balance:>47500
This search returns all account numbers between zero and 99 with balances in excess of 47,500.
If you’re using the linked sample data set, this search returns 5 results: Account numbers 8, 32, 78, 85, and 97.
这次搜索返回了数字在0到99之间,而账目大于47500的内容。如果你使用链接中的样本数据集,这次搜索将返回5个结果:账目数据8,32,78,85和97。
To narrow the display to only the specific fields of interest, highlight each field in the list that displays under the index pattern and click the Add button. Note how, in this example, adding the account_numberfield changes the display from the full text of five records to a simple list of five account numbers:
为了把展示结果限定成感兴趣的字段,突出索引模式下列表中的每个字段,点击’Add‘按钮。在这个例子中,添加’account_number‘字段,把显示的完整信息变成只显示五个数字:
备注:
材料来自elastic官网。
地址:
https://www.elastic.co/guide/en/kibana/current/tutorial-define-index.html
扫一扫
9810
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
