时间戳

首页 > 解决方案 > Kibana KQL - 当参数值大于2时查找所有日志语句

kibana - Kibana KQL - 当参数值大于2时查找所有日志语句

问题描述

我正在编写一个 KQL 来构建 Kibana Visualize。我已经建立了一个查询来找到我的预期结果,但它并不完美。

需要注意的点——

  1. 数据是记录器消息,而不是 json
  2. 我搜索了很多,但大多数答案和 stackoverflow 建议都是针对 json 数据的
  3. 我的查询在“消息”字段中

预期结果 - 所有 noOfFlexJobs>2 的日志消息

这是我的 Query-1 -

message:"thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32" and message:"noOfFlexJobs="

查询 1 结果 -

    Time    message
Jan 28, 2021 @ 09:20:14.503 2021-01-28T09:20:14.503-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1480876, noOfJobPrefs=0, noOfFlexJobs=0
Jan 28, 2021 @ 09:20:14.486 2021-01-28T09:20:14.486-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=a787754, noOfJobPrefs=0, noOfFlexJobs=1
Jan 28, 2021 @ 09:20:14.470 2021-01-28T09:20:14.470-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1478669, noOfJobPrefs=0, noOfFlexJobs=1
Jan 28, 2021 @ 09:20:14.454 2021-01-28T09:20:14.454-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1478668, noOfJobPrefs=0, noOfFlexJobs=0
Jan 28, 2021 @ 09:20:14.443 2021-01-28T09:20:14.443-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1278828, noOfJobPrefs=0, noOfFlexJobs=3
Jan 28, 2021 @ 09:20:14.418 2021-01-28T09:20:14.418-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1472766, noOfJobPrefs=0, noOfFlexJobs=4
Jan 28, 2021 @ 09:20:14.391 2021-01-28T09:20:14.391-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1478985, noOfJobPrefs=0, noOfFlexJobs=5
Jan 28, 2021 @ 09:20:14.380 2021-01-28T09:20:14.379-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1472442, noOfJobPrefs=0, noOfFlexJobs=11
Jan 28, 2021 @ 09:20:14.357 2021-01-28T09:20:14.357-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1502372, noOfJobPrefs=0, noOfFlexJobs=0
Jan 28, 2021 @ 09:20:14.352 2021-01-28T09:20:14.352-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1477010, noOfJobPrefs=0, noOfFlexJobs=0
Jan 28, 2021 @ 09:20:14.342 2021-01-28T09:20:14.342-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1467206, noOfJobPrefs=0, noOfFlexJobs=16

为了得到想要的结果,我更新了我的查询-Query-2

message:"thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32" and (message:"noOfFlexJobs=3" or message:"noOfFlexJobs=4" or message:"noOfFlexJobs=5")

查询 2 结果

Time    message
Jan 28, 2021 @ 09:20:14.443 2021-01-28T09:20:14.443-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1278828, noOfJobPrefs=0, noOfFlexJobs=3
Jan 28, 2021 @ 09:20:14.418 2021-01-28T09:20:14.418-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1472766, noOfJobPrefs=0, noOfFlexJobs=4
Jan 28, 2021 @ 09:20:14.391 2021-01-28T09:20:14.391-0600 level=INFO, thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32, cat=EmployeeJobsScript, [] msg=Employee jobs data for scriptName=getEmployeeNumbersForFlexJob scriptStatus=RUNNING executionId=2b80ac18-d97c-4af0-a14b-53b14f1bbc32 EmployeeNumber=A1478985, noOfJobPrefs=0, noOfFlexJobs=5

我明白为什么我只得到 3 行,如果我要为 6,7 添加剩余的查询参数,....等我会得到我想要的输出。但我不确定noOfFlexJobs的最大值是多少

我试过message:"noOfFlexJobs=">2了,但没有用。

是否可以查询消息语句?有没有办法找到所有 noOfFlexJobs>2 的语句?

谢谢!提前。

标签: kibana

解决方案

我已经想通了。可以使用notKQL 中的关键字来完成。

所以答案是:

message:"thread=getEmployeeNumbersForFlexJob-2b80ac18-d97c-4af0-a14b-53b14f1bbc32" and not message:"noOfFlexJobs=0" and not message:"noOfFlexJobs=1"

推荐阅读