view surrouding document 介紹
kibana 進行日志檢索時薄风,有個功能“view surrouding document“ , 查看指定日志的前后日志,類似如我們查看日志是 grep -A -B
image
查看實現(xiàn)原理
對kibana的源碼不熟悉挖帘,通過tcpdump查看
// 抓起對es的請求
sudo tcpdump -i lo0 -nn -A port 9200 >> /tmp/search.log
// 查看surrouding document對應的請求
{"index":["lo*"],"ignore_unavailable":true,"preference":1629426306757}
{"version":true,"size":5,"search_after":[1629427817846,9],"sort":[{"@timestamp":{"order":"asc","unmapped_type":"boolean"}},{"_doc":{"order":"desc","unmapped_type":"boolean"}}],"_source":{"excludes":[]},"stored_fields":["*"],"script_fields":{},"docvalue_fields":["@timestamp"],"query":{"bool":{"must":[{"match_all":{}}],"filter":[],"should":[],"must_not":[]}}}
{"index":["lo*"],"ignore_unavailable":true,"preference":1629426306757}
{"version":true,"size":5,"search_after":[1629427817846,9],"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}},{"_doc":{"order":"asc","unmapped_type":"boolean"}}],"_source":{"excludes":[]},"stored_fields":["*"],"script_fields":{},"docvalue_fields":["@timestamp"],"query":{"bool":{"must":[{"match_all":{}}],"filter":[],"should":[],"must_not":[]}}}
原來是通過search_after來實現(xiàn)梭纹。
但是通過timestamp來排序還是有缺陷
排序從5條改成6條時,發(fā)現(xiàn)多了一條励七,如下圖
image.png
image.png
與我們的期待的 grep -A -B 還是有一定的差距
