- Packetbeat Reference: other versions:
- Packetbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Packetbeat
- Configure
- Traffic sniffing
- Network flows
- Protocols
- Processes
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- Feature flags
- packetbeat.reference.yml
- How to guides
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- SIP fields
- Thrift-RPC fields
- Detailed TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitor
- Secure
- Visualize Packetbeat data in Kibana
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Record a trace
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Packetbeat doesn’t see any packets when using mirror ports
- Packetbeat can’t capture traffic from Windows loopback interface
- Packetbeat is missing long running transactions
- Packetbeat isn’t capturing MySQL performance data
- Packetbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Fields show up as nested JSON in Kibana
- Contribute to Beats
Kibana queries and filters
editKibana queries and filters
editThis topic provides a short introduction to some useful queries for searching Packetbeat data. For a full description of the query syntax, see Searching Your Data in the Kibana User Guide.
In Kibana, you can filter transactions either by entering a search query or by clicking on elements within a visualization.
Create queries
editThe search field on the Discover page provides a way to query a specific
subset of transactions from the selected time frame. It allows boolean
operators, wildcards, and field filtering. For example, if you want to find the
HTTP redirects, you can search for http.response.status_code: 302
.
String queries
editA query may consist of one or more words or a phrase. A phrase is a
group of words surrounded by double quotation marks, such as "test search"
.
To search for all HTTP requests initiated by Mozilla Web browser version 5.0:
"Mozilla/5.0"
To search for all the transactions that contain the following message:
"Cannot change the info of a user"
To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example would match any documents containing one of the following words: "Cannot" OR "change" OR "the" OR "info" OR "a" OR "user".
To search for all transactions with the "chunked" encoding:
"Transfer-Encoding: chunked"
Field-based queries
editKibana allows you to search specific fields.
To view HTTP transactions only:
type: http
To view failed transactions only:
status: Error
To view INSERT queries only:
method: INSERT
Regexp queries
editKibana supports regular expression for filters and expressions. For example, to search for all HTTP responses with JSON as the returned value type:
http.response_headers.content_type: *json
See Elasticsearch regexp query for more details about the syntax.
Range queries
editRange queries allow a field to have values between the lower and upper bounds. The interval can include or exclude the bounds depending on the type of brackets that you use.
To search for slow transactions with a response time greater than or equal to 10ms:
event.duration: [10000000 TO *]
To search for slow transactions with a response time greater than 10ms:
responsetime: {10000000 TO *}
Boolean queries
editBoolean operators (AND, OR, NOT) allow combining multiple sub-queries through logic operators.
Operators such as AND, OR, and NOT must be capitalized.
To search for all transactions except MySQL transactions:
NOT type: mysql
To search for all MySQL INSERT queries with errors:
type: mysql AND method: INSERT AND status: Error
Kibana Query Language (KQL) also supports parentheses to group sub-queries.
To search for either INSERT or UPDATE queries with a response time greater than or equal to 30ms:
(method: INSERT OR method: UPDATE) AND event.duration >= 30000000
Create filters
editIn Kibana, you can also filter transactions by clicking on elements within a
visualization. For example, to filter for all the HTTP redirects that are coming
from a specific IP and port, click the Filter for value
icon next to the client.ip
and client.port
fields in the transaction detail table. To exclude the HTTP
redirects coming from the IP and port, click the Filter out value
icon instead.
The selected filters appear under the search box.
On this page