- Packetbeat Reference: other versions:
- Overview
- Getting Started With Packetbeat
- Running Packetbeat on Docker
- Upgrading Packetbeat
- Configuring Packetbeat
- Configuration Options (Reference)
- Processors
- Setting Traffic Capturing Options
- Filtering and Enhancing the Exported Data
- Configuring Packetbeat to Use Ingest Node
- Exporting GeoIP Information
- Configuring Packetbeat to Use Logstash
- Configuring Flows to Monitor Network Traffic
- Using Environment Variables in the Configuration
- Configuring Thrift-RPC Support
- Maintaining the Real-Time State of the Network Topology
- YAML Tips and Gotchas
- Exported Fields
- AMQP Fields
- Beat Fields
- Cassandra Fields
- Cloud Provider Metadata Fields
- Common Fields
- DNS Fields
- Flow Event Fields
- HTTP Fields
- ICMP Fields
- Memcache Fields
- MongoDb Fields
- MySQL Fields
- NFS Fields
- PostgreSQL Fields
- Raw Fields
- Redis Fields
- Thrift-RPC Fields
- Transaction Event Fields
- Measurements (Transactions) Fields
- Securing Packetbeat
- Visualizing Packetbeat Data in Kibana
- Troubleshooting
- Developer Guide: Adding a New Protocol
WARNING: Version 5.5 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Kibana Queries and Filters
editKibana Queries and Filters
editIn Kibana, you can filter transactions either by entering a search query or by clicking on elements within a visualization.
Creating Queries
editThe search field on the Discover page provides a way to query
a specific subset of transactions from the selected time frame.
The query syntax is based on the
Lucene query syntax.
It allows boolean operators, wildcards, and field filtering. For example, if
you want to find the HTTP redirects, you can search for
type: http AND http.response.code: 302
.
String Queries
editA query may consist of one or more words or a phrase. A phrase is a
group of words surrounded by double quotation marks, such as "test search"
.
To search for all HTTP requests initiated by Mozilla Web browser version 5.0:
"Mozilla/5.0"
To search for all the transactions that contain the following message:
"Cannot change the info of a user"
To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example would match any documents containing one of the following words: "Cannot" OR "change" OR "the" OR "info" OR "a" OR "user".
To search for all transactions with the "chunked" encoding:
"Transfer-Encoding: chunked"
Field-Based Queries
editKibana allows you to search specific fields.
To view HTTP transactions only:
type: http
To view failed transactions only:
status: Error
To view MySQL INSERT queries only:
mysql.method: INSERT
Regexp Queries
editKibana supports regular expression for filters and expressions. For example, to search for all HTTP responses with JSON as the returned value type:
http.response.headers["content-type"]: *json
See Elasticsearch regexp query for more details about the syntax.
Range Queries
editRange queries allow a field to have values between the lower and upper bounds. The interval can include or exclude the bounds depending on the type of brackets that you use.
To search for slow transactions with a response time greater than or equal to 10ms:
responsetime: [10 TO *]
To search for slow transactions with a response time greater than 10ms:
responsetime: {10 TO *}
Boolean Queries
editBoolean operators (AND, OR, NOT) allow combining multiple sub-queries through logic operators.
Operators such as AND, OR, and NOT must be capitalized. See Lucene query syntax for more details about the boolean operators.
To search for all transactions except MySQL transactions:
NOT type: mysql
To search for all MySQL SELECT queries with large attachments:
mysql.method: SELECT AND mysql.size: [10000 TO *]
Lucene also supports parentheses to group sub-queries.
To search for either INSERT or UPDATE MySQL queries with a response time greater than or equal to 30ms:
(mysql.method: INSERT OR mysql.method: UPDATE) AND responsetime: [30 TO *]
Creating Filters
editIn Kibana, you can also filter transactions by clicking on
elements within a visualization. For example, to filter for all the HTTP redirects that are coming from a specific
IP and port, click the "Filter for value" icons (highlighted in green below) for the client_ip
and client_port
fields in the transaction detail widget. To
exclude the HTTP redirects coming from the IP and port, click the icons highlighted in red.
The selected filters appear under the search box.
On this page