Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Visualizing Your E-mail with Elastic Stack

Kosho Owa
April 20, 2016
Technology
2
310

Visualizing Your E-mail with Elastic Stack

警視庁の犯罪・防犯情報提供サービス「メールけいしちょう」で受信したメッセージを Elasticsearch でインデックスし、Kibana で可視化する方法を紹介します。

Kosho Owa

April 20, 2016
Tweet

More Decks by Kosho Owa

See All by Kosho Owa
Introducing Machine Learning for the Elastic Stack
kosho
2
12k
Elastic Stack X-Pack 5.0 for IT Security Workshop
kosho
1
290
Elastic Stack X-Pack 5.0 for IT Ops Workshop
kosho
0
310
[Developers Summit 2017] Anomaly Detection with the Elastic Stack
kosho
1
680
Anomaly Detection with the Elastic Stack
kosho
1
1.8k
Getting Started with Elastic Cloud and Beats for Log Analytics
kosho
0
89
Elastic{ON} Seminar Tokyo 2016 Product Update
kosho
0
160
Introducing Elastic Cloud
kosho
0
64
Gearing Up for Elastic Stack, X-Pack 5.0 Releases
kosho
0
130

Other Decks in Technology

See All in Technology
完全自律型AIエージェントとAgentic Workflow〜ワークフロー構築という現実解
pharma_x_tech
0
350
JuliaTokaiとJuliaLangJaの紹介 for NGK2025S
antimon2
1
120
あなたの知らないクラフトビールの世界
miura55
0
130
Amazon Q Developerで.NET Frameworkプロジェクトをモダナイズしてみた
kenichirokimura
1
200
なぜfreeeはハブ・アンド・スポーク型の データメッシュアーキテクチャにチャレンジするのか?
shinichiro_joya
2
490
2024AWSで個人的にアツかったアップデート
nagisa53
1
110
Godot Engineについて調べてみた
unsoluble_sugar
0
410
dbtを中心にして組織のアジリティとガバナンスのトレードオンを考えてみた
gappy50
0
280
あなたの人生も変わるかも?AWS認定2つで始まったウソみたいな話
iwamot
3
860
【NGK2025S】動物園(PINTO_model_zoo)に遊びに行こう
kazuhitotakahashi
0
240
「隙間家具OSS」に至る道/Fujiwara Tech Conference 2025
fujiwara3
7
6.5k
#TRG24 / David Cuartielles / Post Open Source
tarugoconf
0
590

Featured

See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
jQuery: Nuts, Bolts and Bling
dougneiner
62
7.6k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
960
VelocityConf: Rendering Performance Case Studies
addyosmani
327
24k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
570
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.4k
Making the Leap to Tech Lead
cromwellryan
133
9k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Measuring & Analyzing Core Web Vitals
bluesmoon
5
210
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
A Modern Web Designer's Workflow
chriscoyier
693
190k

Transcript

  1. ‹#› Kosho Owa, Solutions Architect, Elastic April 20th, 2016 Visualizing

    Your E-mail ʮϝʔϧ͚͍ͪ͠ΐ͏ʯΛՄࢹԽ͢Δ

  2. ର৅σʔλ • ܯࢹிͷϝʔϧ͚͍ͪ͠ΐ͏(ొ࿥ແྉ)
 http://www.keishicho.metro.tokyo.jp/about_mpd/joho/mail_info.html • ʮ൜ࡑൃੜ৘ใʯʮ๷൜৘ใʯΛϝʔϧ഑৴ • CC BY 2.1

    JP Ͱఏڙ 2 Subject: ۄ઒ܯ࡯ॺ(ࢠͲ΋ʢ๫ߦʣ) Body: 4݄16೔ʢ౔ʣɺޕޙ4࣌40෼͜Ζɺੈా୩۠Ԟ୔̍ஸ໨ͷ࿏্Ͱɺࣇಐ͕௨ߦதɺஉʹಥ ͖ඈ͹͞Ε·ͨ͠ɻʢ൜ਓʢஉʣͷಛ௃ʹ͍ͭͯ͸ɺ̑̌ࡀ୅ɺ170cm Ґɺத೑ɺޱͻ ͛ɺ஡৭ͬΆ্͍ҥɺࠇ৭ͬΆ͍ζϘϯʣ ʲ໰߹ͤઌʳۄ઒ܯ࡯ॺ 03-3705-0110ʢ಺ઢ2612ʣ

  3. ํ਑ • ϝʔϧΛIMAPͰऔಘ • ϑΟʔϧυΛߏ଄Խ͢Δ • λΠϓΛߟྀͯ͠ΠϯσοΫε • analyzed, not_analyzedϑΟʔϧυͦΕͧΕΛ࢖༻ͯ͠ՄࢹԽ͢Δ

    3

  4. Logstash Pipeline and Plugins ϓϥάΠϯՄೳͳΞʔΩςΫνϟʔͱɺ։ൃऀʹ༏͍͠ΤίγεςϜ 4 input {} filter {}

    output {} beats, file, graphite, http, imap, kafka, rss, redis, stdin, sqlite, s3, syslog, zenoss and etc. csv, cloudwatch, email, elasticsearch, exec, file, graphite, http, kafka, mongodb, nagios, redis, s3, syslog, stdout, zabbix and etc.

  5. Input Plugin - imap 5 input { imap { host

    => "imap.gmail.com" port => 993 user => "_IMAP_USER_" password => "_IMAP_PASSWORD_" folder => "_IMAP_FOLDER_" type => "_TYPE_" check_interval => 300 codec => plain { charset => "ISO-2022-JP" } } } • ϝʔϧຊจͷΤϯίʔυΛcodecͰࢦఆ͢Δ • ͋Β͔͡ΊIMAPͷfolderΛ࢓෼͚ • ෳ਺ͷλΠϓϝʔϧΛॲཧ͢Δ৔߹ʹ͸λά(tags)Λ෇Ճ͢Δ https://www.elastic.co/guide/en/logstash/current/plugins-inputs-imap.html • ஫: ίϛϡχςΟϓϥάΠϯ

  6. Filter Plugin • ϝʔϧͷຊจ͔Βൈ͖ग़͢ϑΟʔϧυ: city, area, place • λΠτϧ͔Βൈ͖ग़͢ϑΟʔϧυ: police_station,

    incident • λΠϜελϯϓͱͯ͠࠾༻: datetime 6 filter { grok { match => { "message" => "%{DATA:[@metadata][datetime]}͜Ζɺ%{NOTSPACE:city}(۠|ࢢ)% {NOTSPACE:area}(ͷ|෇ۙ)(%{NOTSPACE:place}|)Ͱɺ%{GREEDYDATA}" } } date { match => ["[@metadata][datetime]", "M݄d೔ʢEʣɺaK࣌m෼"] locale => ja timezone => "Asia/Tokyo" } grok { match => { "subject" => "%{NOTSPACE:police_station}ܯ࡯ॺ\(%{NOTSPACE:incident}\)" } } }

  7. ೖྗσʔλ grok ग़ྗ Filter Plugin - grok • ύλʔϯʹϚονͨ͠จࣈྻΛϑΟʔϧυʹؔ࿈෇͚ɺඇߏ଄σʔλΛߏ଄Խ͢Δ https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

    7 “subject” => “ۄ઒ܯ࡯ॺ(ࢠͲ΋ʢ๫ߦʣ)” grok { match => { "subject" => "%{NOTSPACE:police_station}ܯ࡯ॺ\(%{NOTSPACE:incident}\)" } } “police_station” => "ۄ઒" “incident" => "(ࢠͲ΋ʢ๫ߦʣ)"

  8. ೖྗσʔλ date ग़ྗ Filter Plugin - date ೔෇ϑΟʔϧυΛύʔε͠ɺLogstashͷΠϕϯτ೔෇ͱͯ͠࢖༻ 8 "datetime"

    => “4݄16೔ʢ౔ʣɺޕલ7࣌40෼” "@timestamp" => "2016-04-16T07:40:00.000Z" • ೔෇ͷऔಘʹࣦഊͨ͠৔߹ʹ͸ɺॲཧ೔͕࣌@timestampͱͯ͠࠾༻͞ΕΔ (tag_on_failure => true ΋ݕ౼) https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html date { match => ["[@metadata][datetime]", "M݄d೔ʢEʣɺaK࣌m෼"] locale => ja timezone => "Asia/Tokyo" }

  9. Output Plugin - elasticsearch 9 output { stdout { codec

    => dots } elasticsearch { hosts => ["http://127.0.0.1:9200/"] index => "mail-%{+YYYY.MM}" } } • stdout { codec => dots } ͰɺҰ݅ॲཧ͝ͱʹυοτΛग़ྗ͢Δ • ΠϯσοΫε͕ద੾ͳαΠζʹͳΔΑ͏ɺΠϯσοΫε໊Λݕ౼͢Δ https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html

  10. Logstash Tips • ग़ྗ࣌ʹύΠϓϥΠϯΛදࣔ • ϫʔΧʔ਺Λద੾ʹઃఆ͢Δ • ҟͳΔछྨͷσʔλ͸ɺLogstash΁ͷೖྗલʹ࢓෼͚͓ͯ͘ • grok

    ϔϧύʔπʔϧΛ࢖͏ http://grokdebug.herokuapp.com http://grokconstructor.appspot.com 10 output { stdout { codec => rubydebug } } $ logstash -w [NUMBER OF WORKERS] -f [PATH TO CONFIG]

  11. Elasticsearch - Mapping • text (analyzed strings), keyword(not_analyzed strings)ϑΟʔϧυ͸5.0͔Βಋೖ •

    textϑΟʔϧυͷanalyzerʹkuromojiΛࢦఆ͢Δ • terms aggregationΛߦ͏ͨΊʹɺmulti-fieldػೳΛ࢖ͬͯkeywordϑΟʔϧυΛࢦఆ͢Δ 11 PUT /_template/mail-1 { "template": "mail-*", "mappings": { "_default_": { "properties": { "message": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }, "analyzer": "kuromoji" },... }}}}

  12. Kibana - Visualize “Terms Aggregation” keywordϑΟʔϧυͰaggregation͢Δ 12

  13. Kibana - Visualize “Filters Aggregation” analyzedϑΟʔϧυͰaggregation͢Δ 13

  14. ؔ࿈৘ใ 14