问题
With ELK (Elasticsearch-Logstash-Kibana) stack, I collect syslog logs from *nix boxes to Logstash and send it to Kibana via Elasticsearch. This is classical one scenario.
My syslog log includes normal system events, squid access log, captiveportal login logs etc. captiveportal logged as
1423548430 2582 192.168.1.23 xx:ae:xx:e1:xx:99 mike.brown cc9aeb1210b39571 MTI= first
and
squid access logs logged as:
1423562965.228 482 192.168.1.23 TCP_MISS/200 1254 POST http://ad4.liverail.com/? - DIRECT/31.13.93.12 text/xml
In Logstash, I have filtered captive portal log, and I have got client_ip="192.168.1.23", user_name="mike.brown" and also in different filter in Logstash configuration I have also filtered squid access log, and I have got src_ip="192.168.1.23".
My question is: How can I query to get user_name where client_ip of squid access log equals to src_ip of captive portal in Kibana?
回答1:
You can't do joins in elasticsearch. They discuss a few of the options for relationships in this doc.
来源:https://stackoverflow.com/questions/28429607/combine-logs-and-query-in-elk