Kibana. Using the KQL query language when searching for logs
For beginner testers
Author: Nadezhda Dudnik
Content
Introduction
Kibana (wiki) used to monitor and analyze IT infrastructure as part of the Elastic Stack, which, in addition to it, includes Elasticsearch and Logstash. Logstash is responsible for logging and delivers the incoming data stream to Elasticsearch for storage, classification, and retrieval. Kibanain turn, accesses the data elasticsearch for their visualization in various visual formats.
Kibana has its own KQL query language (Kibana Query Language)- official source.
Using this language, you can write queries that help you filter and find the information you need.
Select value in Change index pattern, where you need to check the logs. First, for parsing, I will choose ‘logstash‘ and then for parsing consider ‘forum‘, since the logs come from the clan’s forum for the game Lord of the Rings online – http://forum.free-peoples.ru/for which Evgeny Sychev is also responsible (warning: certificate requirement -> trust).
The main blocks for working with logs.
Block for entering the search for logs using a KQL query and without;
Block with a choice of time interval (Today, This week, Last 15 minutes (default), Last 30 minutes, Last 1 hour, Last 24 hours, Last 7 days, Last 30 days, Last 90 days, Last 1 year);
Block with selected filters for outputting logs (“Selected fields”);
Block with available filters (“available fields“);
Log search results block with or without selected filters;
Block of filters by data type “Filter by type“;
Buttons “Refresh / Update“.
Using KQL.
Point the cursor to the line for composing KQL queries.
Possible key attributes to search for logs are displayed.
Specify, for example, the attribute “message” (Filter results that contain message).
Screenshots from documentation about the description of the main parameters.
Let’s look at examples, the field “host” has data type “string“, at which the following parameters are displayedдля поля строки:
Field “geoip.ip” has data type “number“, which displays the following options для числового поля:
Compiling a simple KQL query.
host: jekil1.fvds.ru and severity : WARN
( : ) is an operator that is responsible for finding matches.
Match results:
Следующий запрос: host: jekil1.fvds.ru and severity : WARN and message: *auth.log*
*auth.log* where
denotes a wildcard. *auth.log* – finds any values that have “oauth.log”
Shows “oauth.log” in any position exc*- finds any values that start with