之后进入左边选择x轴为Date Histogram时间轴,显示为时分,间隔为Auto自动间隔,然后点击绿色的三角形按钮“Apply Changes”,kibana将生成类似于下图的柱状图,如下图E:\u\elk\pic\18.png所示:
然后点击右边的保存按钮“Save Visualization”,可以保存此图为search_log_visual_1,如下图E:\u\elk\pic\19.png所示:
然后进入“Dashboard”界面,点击下面的灰色背景的“+”按钮,如下图E:\u\elk\pic\20.png所示:
然后选择我们刚才保存的visual图,就会展示出来上次我们生成的图表记录,面板上就会显示出原来的图表,如下图E:\u\elk\pic\21.png所示:
如果有较多数据,我们可以根据业务需求和关注点在Dashboard页面添加多个图表:柱形图,折线图,地图,饼图等等。当然,我们可以设置更新频率,让图表自动更新,如下图E:\u\elk\pic\22.png所示:
当然如果设置的时间比较紧凑,比较短暂的话,其实就相当于实时分析的图表了,类似于zabbix的监控图了。
OK,最基本的elk平台部署和调试的流程就走完了,接下来就是各种业务场景的使用了。
5、一些错误记录(1)start 问题
[elk@hch_test_dbm1_121_62 elasticsearch-2.3.4]$ ./bin/elasticsearch &
[1] 20726
[elk@hch_test_dbm1_121_62 elasticsearch-2.3.4]$ Exception in thread "main" SettingsException[Failed to load settings from [elasticsearch.yml]]; nested: ElasticsearchParseException[malformed, expected settings to start with 'object', instead was [VALUE_STRING]];
Likely root cause: ElasticsearchParseException[malformed, expected settings to start with 'object', instead was [VALUE_STRING]]
at org.elasticsearch.common.settings.loader.XContentSettingsLoader.load(XContentSettingsLoader.java:65)
at org.elasticsearch.common.settings.loader.XContentSettingsLoader.load(XContentSettingsLoader.java:45)
at org.elasticsearch.common.settings.loader.YamlSettingsLoader.load(YamlSettingsLoader.java:46)
at org.elasticsearch.common.settings.Settings$Builder.loadFromStream(Settings.java:1080)
at org.elasticsearch.common.settings.Settings$Builder.loadFromPath(Settings.java:1067)
at org.elasticsearch.node.internal.InternalSettingsPreparer.prepareEnvironment(InternalSettingsPreparer.java:88)
at org.elasticsearch.common.cli.CliTool.<init>(CliTool.java:107)
at org.elasticsearch.common.cli.CliTool.<init>(CliTool.java:100)
at org.elasticsearch.bootstrap.BootstrapCLIParser.<init>(BootstrapCLIParser.java:48)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:226)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Refer to the log for complete error details.
[1]+ Exit 1 ./bin/elasticsearch
[elk@hch_test_dbm1_121_62 elasticsearch-2.3.4]$
原因是:配置文件中的=要换成:
[elk@hch_test_dbm1_121_62 elasticsearch-2.3.4]$ more config/elasticsearch.yml |grep -v "#"
cluster.name: es_cluster
node.name: node0
path.data: /home/elk/data
path.logs: /home/elk/logs
network.host: 192.168.121.62
network.port: 9200
[elk@hch_test_dbm1_121_62 elasticsearch-2.3.4]$
(2)、Unable to fetch mapping.
Unable to fetch mapping. Do you haveindices matching the pattern?
这就说明logstash没有把日志写入到elasticsearch。
解决方法:
检查logstash与elasticsearch之间的通讯是否有问题,一般问题就在这。
(3)、log4j报错
log4j:WARN No appenders could be foundfor logger (com.demo.elk.Application).
log4j:WARN Please initialize the log4jsystem properly.
log4j:WARN See#noconfig for more info.
解决:
(a) jdk版本比较低,需要jdk1.7以上
(b)java类和log4j.properties没有匹配上,在测试中需要将java类和log4j.properties放在一个目录上。