- elasticsearch/
elasticsearch 从日志文件中抽出时间
elasticsearch 从日志文件中抽出时间
以下是原始日志: 2017-09-17 08:34:54 181409 10.110.82.122 200 TCP_TUNNELED 4440 1320 CONNECT TCP cdn.appdynamics.com 443/-ANILADE-10.100.134.6--“Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,如Gecko)Chrome/60.0.3112.113 Safari/537.36”观察到的“技术/互联网”-.100.134.6 这是我的日志存储配置文件:
input {
beats {
port => "5044"
}
}
filter
#start of filter
{
grok
#start of grok filter
{
match =>
#start of match
{"message"=>"%{TIMESTAMP_ISO8601:@timestamp} (%{NUMBER:time_taken}|\-) (%{IP:sourceIP}|\-) (%{NUMBER:status}|\-) (%{WORD:action}|\-) (%{NUMBER:scBytes}|\-) (%{NUMBER:csBytes}|\-) (%{WORD:method}|\-) (%{WORD:uri_scheme}|\-) (%{URIHOST:url}|\-) (%{NUMBER:port}|\-) (?<uri_path>([a-zA-Z0-9\/\.\?\-\_]+)|(\/)) (?<uri_query>([a-zA-Z0-9\/\.\?\-\=\&\%]+)) (?<username>([a-zA-Z0-9\/\.\?\-]+)) (?<auth_group>([a-zA-Z0-9\/\.\?\-]+)) (?<destIP>([a-zA-Z0-9\.\-]+)) (?<content_type>([a-zA-Z0-9\-\/\;\%\=]+)) (?<referer>[a-zA-Z0-9\-\/\;\%\=\:\.]+) (%{QUOTEDSTRING:user_agent}|\-) (%{WORD:filter_result}|\-) (%{QUOTEDSTRING:category}|\-) (?<vir_id>([a-zA-Z0-9\-\/.])) (%{IP:proxyIP}|\-)"
}
#end of match
}
#end of grok
date
#start of date filter
{
match=>["@timestamp","ISO8601"]
}
#end of date filter
}
#end of filter
output
{
elasticsearch
{
hosts => ["localhost:9200"]
index => proxylog
}
}
add_field=>["timestamp","%{year}-%{month}-%{day} %{time}"]
date{
match=>["timestamp","YYYY-MM-DD HH:mm:ss"]
remove_field=>["timestamp","year","month","day"]}
}
没有发现运气。有人能指出一个解决方案吗?因为在elasticsearch和stackoverflow论坛上找到的任何连锁店都没有帮助。谁能告诉我是否需要更改filebeat的任何配置,因为我正在使用filebeat将日志发送到logstash。可能是因为
@timestamp%{TIMESTAMP_ISO8601:[@metadata][timestamp]}
然后使用带有[@metadata][timestamp]作为输入的日期{}过滤器设置@timestamp。您可以在日期过滤器中添加
target=>“new_field”{message message=>“%{timestamp\u ISO8601:@timestamp}match=>[“@timestamp”,”ISO8601“]%{TIMESTAMP_ISO8601:[@metadata][timestamp]}