- elasticsearch/
elasticsearch Logstash JDBC输入,过滤不同于@timestamp的事件时间戳
elasticsearch Logstash JDBC输入,过滤不同于@timestamp的事件时间戳
我正在尝试更改
@时间戳时间戳input {
jdbc {
jdbc_driver_library => "C:/logstash/lib/mysql-connector-java-5.1.37-bin.jar"
jdbc_driver_class => "com.mysql.jdbc.Driver"
jdbc_connection_string => "jdbc:mysql://127.0.0.1:3306/transport"
jdbc_user => "root"
jdbc_password => ""
schedule => "* * * * *"
statement => "select id, timestamp, type, service, data, success, trans_id from audit where timestamp >= :sql_last_start"
}
}
filter {
date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss,SSS" ]
add_tag => [ "tsmatch" ]
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "audit-%{+YYYY.MM.dd}"
document_id => "%{id}"
}
stdout {
codec => rubydebug
}
}
{
"id" => 32,
"timestamp" => 2015-11-18 18:21:44 +0000,
"type" => "Scheduled",
"service" => "Road",
"data" => "Changing the time",
"success" => 1,
"trans_id" => "ta819rsc",
"@version" => "1",
"@timestamp" => "2015-11-18T18:22:00.069Z",
"tags" => [
[0] "_dateparsefailure"
]
}
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss ZZZ" ]
\u dateparsefailure日期戳且无法转换有关
G注意文档中的_dateparsefailure标记
您的“时间戳”字段如下所示:2015-11-18 18:21:44+0000
而您的日期{}模式看起来是这样的:YYYY-MM-dd-HH:MM:ss,SSS
它们需要匹配。注意文档中的_dateparsefailure标记
您的“时间戳”字段如下所示:2015-11-18 18:21:44+0000
而您的日期{}模式看起来是这样的:YYYY-MM-dd-HH:MM:ss,SSS
它们需要匹配。好的,我终于想出了如何使@timestamp
与事件发生的时间匹配的方法
我需要将我的时间戳格式化为字符串格式,这是在DATE\u format()
from的帮助下完成的
MySQL数据:
这是logstashconf代码
input {
jdbc {
code omitted....
schedule => "* * * * *"
statement => "select id, DATE_FORMAT(timestamp, '%Y-%m-%d %T') AS timestamp, type, service, data, success, trans_id from `transport`.`audit` where timestamp >= :sql_last_start"
}
}
filter {
date {
locale => "en"
timezone => "UTC"
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "audit-%{+YYYY.MM.dd}"
document_id => "%{id}"
}
stdout {
codec => rubydebug
}
}
输出
{
"id" => 65,
"timestamp" => "2015-11-19 11:28:31",
"type" => "Scheduled",
"service" => "Road",
"data" => "Changing the time",
"success" => 1,
"trans_id" => "ee565",
"@version" => "1",
"@timestamp" => "2015-11-19T11:28:31.000Z"
}
如您所见,@timestamp
匹配事件的时间戳
弹性搜索索引
我希望这对其他人有帮助
G好的,我终于想出了如何使@timestamp
与事件发生的时间相匹配的方法
我需要将我的时间戳格式化为字符串格式,这是在DATE\u format()
from的帮助下完成的
MySQL数据:
这是logstashconf代码
input {
jdbc {
code omitted....
schedule => "* * * * *"
statement => "select id, DATE_FORMAT(timestamp, '%Y-%m-%d %T') AS timestamp, type, service, data, success, trans_id from `transport`.`audit` where timestamp >= :sql_last_start"
}
}
filter {
date {
locale => "en"
timezone => "UTC"
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "audit-%{+YYYY.MM.dd}"
document_id => "%{id}"
}
stdout {
codec => rubydebug
}
}
输出
{
"id" => 65,
"timestamp" => "2015-11-19 11:28:31",
"type" => "Scheduled",
"service" => "Road",
"data" => "Changing the time",
"success" => 1,
"trans_id" => "ee565",
"@version" => "1",
"@timestamp" => "2015-11-19T11:28:31.000Z"
}
如您所见,@timestamp
匹配事件的时间戳
弹性搜索索引
我希望这对其他人有帮助
G我也遇到了同样的问题,jdbc输入过滤器检索到的字段时间戳不是日期过滤器插件
我认为问题在于jdbc输入插件返回一个日期类型字段,而日期过滤器插件需要解析一个字符串
这就是为什么当您通过sql语句将日期字段转换为字符串格式时,它会起作用
我找到了另一个解决方案:
在sql语句中,只需执行以下操作
statement => "select id, timestamp as \"@timestamp\", type, service ..."
PS:\“@timestamp\”与我的jdbc驱动程序UCanasses不兼容,我使用了
[@timestamp]
我也遇到了同样的问题,jdbc输入过滤器检索到的字段时间戳不是日期过滤器插件
我认为问题在于jdbc输入插件返回一个日期类型字段,而日期过滤器插件需要解析一个字符串
这就是为什么当您通过sql语句将日期字段转换为字符串格式时,它会起作用
我找到了另一个解决方案:
在sql语句中,只需执行以下操作
statement => "select id, timestamp as \"@timestamp\", type, service ..."
PS:\“@timestamp\”与我的jdbc驱动程序UCanasses不兼容,我使用了
[@timestamp]
您能建议我如何修复吗?您的数据没有秒数,因此请丢失“SSS”部分。您有一个时区偏移量,可能与“ZZZ”匹配。我确实尝试了您所说的,但仍然得到相同的错误,并且时间戳仍然不匹配<代码>匹配=>[“timestamp”,“YYYY-MM-dd HH:MM:ss-ZZZ”]