在packetbeat中扩展sip协议后,elasticsearch head后台查找不到sip类型。对于不是请求-应答一对一模式的协议,transactions如何设置?
官方文档中说明如下:
Correlationedit
Most protocols that Packetbeat supports today are request-response oriented. Packetbeat indexes into Elasticsearch a document for each request-response pair (called a transaction). This way we can have data from the request and the response in the same document and measure the response time.
But this can be different for your protocol. For example for an asynchronous protocol like AMPQ, it makes more sense to index a document for every message, and then no correlation is necessary. On the other hand, for a session-based protocol like SIP, it might make sense to index a document for a SIP transaction or for a full SIP dialog, which can have more than two messages.
官方文档中说明如下:
Correlationedit
Most protocols that Packetbeat supports today are request-response oriented. Packetbeat indexes into Elasticsearch a document for each request-response pair (called a transaction). This way we can have data from the request and the response in the same document and measure the response time.
But this can be different for your protocol. For example for an asynchronous protocol like AMPQ, it makes more sense to index a document for every message, and then no correlation is necessary. On the other hand, for a session-based protocol like SIP, it might make sense to index a document for a SIP transaction or for a full SIP dialog, which can have more than two messages.
2 个回复
billzy - Make it easy
赞同来自:
对于非1求1答的协议,packetbeat可以支持,或者说其实它支持非常灵活的transaction行为定义,1对多,多对1,多对多(还有啥,好像没了吧)。
具体的控制方法,可以参考http_parser.go中的parse方法的两个返回值。
因为我对SIP协议不是很了解,如果需要可以继续探讨。
medcl - 今晚打老虎。
赞同来自: