I have AWS ELB logs being indexed with production-elb-YYYY.ww, S3 access
logs being indexed with production-s3-YYYY.ww
Default index pattern is production-s3*
I also have an index pattern for production-elb*
When I select production-elb* and make a search for "_grokparsefailure" ,
it doesn't return any results.
If I create an index pattern production-* and search for "_grokparsefailure"
, it does return the failed log events. I think both should return these
log events.
One of these failed events is
{
"_index": "production-elb-2015.04",
"_type": "elb-access-logs",
"_id": "AUxzyxEQrRg0e6fTsE_9",
"_score": null,
"_source": {
"message": "2015-04-01T06:23:01.407429Z xxx xxx:yyy - -1 -1 -1 504 0 0 0
\"GET https://xxx:443/ HTTP/1.1\"\n",
"@version": "1",
"@timestamp": "2015-04-01T07:03:49.339Z",
"type": "elb-access-logs",
"tags": [
"_grokparsefailure"
]
},
"fields": {
"@timestamp": [
1427871829339
]
},
"highlight": {
"message": [
"2015-04-01T06:23:01.407429Z xxx xxx:yyy - -1 -1 -1
@kibana-highlighted-field@504@/kibana-highlighted-field@ 0 0 0
\"@kibana-highlighted-field@GET@/kibana-highlighted-field@ https://xxx:443/
HTTP/1.1\"\n"
],
"tags": [
"@kibana-highlighted-field@_grokparsefailure@/kibana-highlighted-field@"
]
},
"sort": [
1427871829339
]
}
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/d392523e-7585-425f-b8f6-c2a291c6be49%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
