Kibana. Using the KQL query language when searching for logs

For beginner testers

Author: Nadezhda Dudnik

Content

Introduction

Kibana (wiki) used to monitor and analyze IT infrastructure as part of the Elastic Stack, which, in addition to it, includes Elasticsearch and Logstash. Logstash is responsible for logging and delivers the incoming data stream to Elasticsearch for storage, classification, and retrieval. Kibanain turn, accesses the data elasticsearch for their visualization in various visual formats.

Kibana has its own KQL query language (Kibana Query Language)- official source.

Using this language, you can write queries that help you filter and find the information you need.

Connecting to Kibana to view logs

Go to URL Kibana- http://37.46.129.245:5601/app/home#/ (This information was shared Evgeny Sychev – PM and QA Lead for fintech projects, for the practice of searching for logs) .

Enter data for authorization:

welcome home

welcome home

Select Kibana → Discover:

Kibana → Discover

Kibana → Discover

The mode for KQL is enabled by default.

Select value in Change index pattern, where you need to check the logs. First, for parsing, I will choose ‘logstash‘ and then for parsing consider ‘forum‘, since the logs come from the clan’s forum for the game Lord of the Rings online – http://forum.free-peoples.ru/for which Evgeny Sychev is also responsible (warning: certificate requirement -> trust).

e.g. logstash*

e.g. logstash*

The main blocks for working with logs.

  1. Block for entering the search for logs using a KQL query and without;

  2. Block with a choice of time interval (Today, This week, Last 15 minutes (default), Last 30 minutes, Last 1 hour, Last 24 hours, Last 7 days, Last 30 days, Last 90 days, Last 1 year);

  3. Block with selected filters for outputting logs (“Selected fields”);

  4. Block with available filters (“available fields“);

  5. Log search results block with or without selected filters;

  6. Block of filters by data type “Filter by type“;

  7. Buttons “Refresh / Update“.

Information about the main blocks

Information about the main blocks

Using KQL.

Point the cursor to the line for composing KQL queries.

Possible key attributes to search for logs are displayed.

Search

Search

Specify, for example, the attribute “message” (Filter results that contain message).

Mapping Key Attributes

Mapping Key Attributes

Screenshots from documentation about the description of the main parameters.

Valid property operators for property constraints

Valid property operators for property constraints

Boolean operators supported in KQL

Boolean operators supported in KQL

Let’s look at examples, the field “host” has data type “string“, at which the following parameters are displayedдля поля строки:

Parameters for the string field

Parameters for the string field

Field “geoip.ip” has data type “number“, which displays the following options для числового поля:

Options for a number field

Options for a number field

Compiling a simple KQL query.

host: jekil1.fvds.ru and severity : WARN

( : ) is an operator that is responsible for finding matches.

Match results:

The specified search values ​​are highlighted in yellow

The specified search values ​​are highlighted in yellow

Следующий запрос: host: jekil1.fvds.ru and severity : WARN and message: *auth.log*

*auth.log* where

denotes a wildcard. *auth.log* – finds any values ​​that have “oauth.log”

in any position "Displayed" oauth.log

in any position

Shows “oauth.log” in any position exc*- finds any values ​​that start with

with “exc”.

You can use the wildcard operator after a phrase. "values ​​that start with" exc“exc”.KQL queries do not support suffix matching

so you can't use the wildcard operator in front of a phrase in free text queries. "values ​​that end in" exc

values ​​that end with “exc” -> no such values

Double quotes in KQL query. To specify a clause in a KQL query, you must use the operator – double quotes” “

.

message: exception=>Errno::EACCES

For example, when specifying the following KQL query:

Search Error
Expected AND, OR, end of input, whitespace but ">" found. message: exception=>Errno::EACCES -------------------^
there will be an error:

sentence without quotes

sentence without quotes And when specifying a KQL querywith quotes

message: "exception=>Errno::EACCES"

:

the following match result will be:

sentence with quotation marks

sentence with quotation marks

I want to note that double quotes are very necessary when searching for logs.

KQL with

Filter by type

Filter by typeAdd field “_type

+

Press “+”

Match results are displayed as Table or JSON:

Adding a filter by the _type field

1. Ввести "host: jekil1.fvds.ru and severity : WARN and message: exc*" в блоке для запросов;
2. Выбрать "Today" в блоке временного интервала; 
3. Выбрать только "_type" в блоке используемых фильтров;
4. Нажать на кнопку "Refresh/Update"

Adding a filter by the _type field

Searching results:

Adding a filter by the _type field

Adding a filter by the _type field Search results by filter selected fields, choosing“_type” and “path”

:

Adding a filter by _type and path fields

Adding a filter by _type and path fields

KQL with “Filter for value” filter.Additionally, the field “host

The value of the selected field is displayed in the filter in the upper left corner

The value of the selected field is displayed in the filter in the upper left corner "example 1 -> Display values ​​for field operator"” title=”_id "example 1 -> Display values ​​for field operator"” width=”1002″ height=”466″ data-src=”https://habrastorage.org/getpro/habr/upload_files/1ee/0b8/3a6/1ee0b83a6a60fcbded369e694fd4d87c.png”/></p><p><figcaption>_id</figcaption></p></figure><figure class=example 1 -> Display values ​​for field operator “_id” "example 2 -> Display values ​​for field operator"” title=”geoip.ip "example 2 -> Display values ​​for field operator"” width=”1001″ height=”502″ data-src=”https://habrastorage.org/getpro/habr/upload_files/c7b/e31/3d2/c7be313d28ef17b489df7ab6e2cda067.png”/></p><p><figcaption>geoip.ip</figcaption></p></figure><figure class=example 2 -> Showing values ​​for the field operator “geoip.ip”” title=”example 3 -> severity is WARN” width=”1011″ height=”418″ data-src=”https://habrastorage.org/getpro/habr/upload_files/ebd/86c/e13/ebd86ce13d2289ba6023440f6b225902.png”/></p><p><figcaption>example 3 -> severity is WARN</figcaption></p></figure><figure class=example 3 -> severity is WARN "example 4 -> severity is WARN and selected filters"severity ","_id ","” title=”path "example 4 -> severity is WARN and selected filters"severity ","_id ","” width=”2249″ height=”824″ data-src=”https://habrastorage.org/getpro/habr/upload_files/549/dcd/b74/549dcdb745f98dc9f4a396697a2c5c6b.png”/></p><p><figcaption>path</figcaption></p></figure><p>example 4 -> severity is WARN and selected filters “severity”, “_id”, “path”</p><p><a rel=

The value “WARN” is highlighted in yellow, as it is specified in the filter by values ​​in the upper right corner.

1. Ввести, например, значение поля "source" = "filewatch.tailmode.handlers.create" в блок для запросов;
2. Выбрать "Today" в блоке с временным интервалом ;
3. Нажать на кнопку "Refresh";
4. Удалить выбранные фильтры из "Filter for value" и "Filter by type".

Finding logs without using KQL.

Matching results:

Finding logs without using KQL

Finding logs without using KQL

  1. Practice. Follow the link of the clan forum for the game The Lord of the Rings online –https://forum.free-peoples.ru/

  2. . (enter at your own risk -> ‘Advanced’);

  3. Enter invalid “Username:” = “test” and “Password:” = “test” on the forum page;

  4. Click on the “Login” button;

  5. Fix the time; Follow the link http://37.46.129.245:5601/app/home#/

  6. -> go through authorization -> select “Discover” -> select “forum” in Change index pattern;

  7. Enter the value “login” in the query string;

  8. Click on “Refresh”;

    Make sure the results are found and look at the

    Search for logs for authorization in the forum on the site

  9. Search for logs for authorization in the forum on the site Click on the “Register” link on the website https://forum.free-peoples.ru/ucp.php?mode=register

  10. . An error is displayed on a new page;

  11. Fix the time;

  12. Find log with text “mode=register” in Kibana;

  13. Choose to show the log in JSON format;

Make sure that logs with an error are found.

Make sure that logs with an error are found

Make sure that logs with an error are found

Additional Information:

View log in JSON format.

View log in JSON format

View log in JSON format view single document

- view detailed log.

View detailed log

View detailed log

Also available:

From the documentation: “It is possible to combine different parts of keyword queries using an opening bracket ” ( ” and a closing bracket ” ) “. Each opening bracket ” ( ” must have a corresponding closing bracket ” ) “. A space before or after the bracket has no effect on the query. “

You can also add filters from the block with all filters to the area with used (selected) filters. Availablequick reference to KQL

.

Conclusion

I usually look for logs in Kibana by the ERROR logging level, as well as specifying the necessary data on the system. Additionally, you can search for logs by sessionId, Id, UUID, messages from the server response, request data. By this instruction,relying on useful sources

I wanted to convey an acquaintance how to write KQL queries, teach how to read logs and apply this knowledge in my work.

Thanks for reading.Sincerely, Nadezhda Dudnik (protestinginfo)

chief test engineer in fintech and software testing mentor.

And I want to reach my goal!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *