elasticsearch Logstash-设置JSON解析对象的时间戳,elasticsearch,logstash,elastic-stack,elasticsearch,Logstash,Elastic Stack" /> elasticsearch Logstash-设置JSON解析对象的时间戳,elasticsearch,logstash,elastic-stack,elasticsearch,Logstash,Elastic Stack" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch Logstash-设置JSON解析对象的时间戳

elasticsearch Logstash-设置JSON解析对象的时间戳

logstash

elasticsearch Logstash-设置JSON解析对象的时间戳,elasticsearch,logstash,elastic-stack,elasticsearch,Logstash,Elastic Stack,我在设置JSON解析的时间戳时遇到了问题 我有这个字符串: [{"orderNumber":"423523-4325-3212-4235-463a72e76fe8","externalOrderNumber":"reactivate_22d6ff0d8f55eb821be14df9d35505a6","operation":{"name":"CAPTURE","amount":134,"status":"SUCCESS","createdAt":"2015-05-11T09:14:30.969Z

我在设置JSON解析的时间戳时遇到了问题

我有这个字符串:

[{"orderNumber":"423523-4325-3212-4235-463a72e76fe8","externalOrderNumber":"reactivate_22d6ff0d8f55eb821be14df9d35505a6","operation":{"name":"CAPTURE","amount":134,"status":"SUCCESS","createdAt":"2015-05-11T09:14:30.969Z","updatedAt":{}}}]
我使用这个Logstash过滤器将其解析为json:

   grok {
        match => { "message" => "\[%{GREEDYDATA:firstjson}\]%{SPACE} \[%{GREEDYDATA:secondjson}\}]}]"}
        }
        json{
            source => "firstjson"
        }
        date {
            match => [ "operation.createdAt", "ISO8601"]
        }
        mutate {
            remove_field => [ "firstjson", "secondjson" ]
        }
    }
这将在ElasticSearch中创建一个文档。我有一个名为operation.createdAt的字段,它被正确地识别为日期字段。但出于某种原因,这一行:

   date {
         match => [ "operation.createdAt", "ISO8601"]
        }
未设置@timestamp字段。当前@timestamp字段在插入文档时设置。我做错了什么?

多亏了公司的好人,我找到了答案

而不是:

date {
match => [ "operation.createdAt", "ISO8601"]
}
我用这个:

date {
    match => [ "[operation][createdAt]", "ISO8601"]
}
这将正确地提取和解析JSON时间对象

多亏了公司的好人,我找到了答案

而不是:

date {
match => [ "operation.createdAt", "ISO8601"]
}
我用这个:

date {
    match => [ "[operation][createdAt]", "ISO8601"]
}
这将正确地提取和解析JSON时间对象