huanggze 大佬,需求是这样的,开发那边一直反馈看日志不太友好,他们希望搜索的日志可以按照整段来实现而不是按行:
比如java的异常会打印多行ERR的定位信息,搜索Exception时只能看到一行,根据这行的日期再缩短二次查询。日志量大的时候查询比较慢。有思路可以帮忙点播下么
EG:
beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)
