elasticsearch Logstash-使用当前日期作为时间戳日期,elasticsearch,logstash,logstash-grok,logstash-configuration,elasticsearch,Logstash,Logstash Grok,Logstash Configuration" /> elasticsearch Logstash-使用当前日期作为时间戳日期,elasticsearch,logstash,logstash-grok,logstash-configuration,elasticsearch,Logstash,Logstash Grok,Logstash Configuration" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch Logstash-使用当前日期作为时间戳日期

elasticsearch Logstash-使用当前日期作为时间戳日期

logstash

elasticsearch Logstash-使用当前日期作为时间戳日期,elasticsearch,logstash,logstash-grok,logstash-configuration,elasticsearch,Logstash,Logstash Grok,Logstash Configuration,我想使用当前日期作为时间戳(日期),因为此信息在我们的日志文件中不可用。 示例->main_core.log: 04:00:19.675 [ActiveMQ Task-9] INFO a.b.c.t.failover.FailoverTransport - Successfully reconnected to ssl://localhost:12345 我想把它分开,用当天作为日期,时间戳从日志文件中取出来 这可能吗 谢谢,还有很多方面您可以添加一个包含日志中缺少的时间戳部分的字段,然后连

我想使用当前日期作为时间戳(日期),因为此信息在我们的日志文件中不可用。 示例->main_core.log:

04:00:19.675 [ActiveMQ Task-9] INFO  a.b.c.t.failover.FailoverTransport - Successfully reconnected to ssl://localhost:12345
我想把它分开,用当天作为日期,时间戳从日志文件中取出来

这可能吗

谢谢,还有很多方面

您可以添加一个包含日志中缺少的时间戳部分的字段,然后连接一个包含小时的变量,并将其用作@timestamp字段

下面的过滤器执行以下操作:

filter {
    grok {
        break_on_match => false
        match => ["message","%{TIME:hour} %{GREEDYDATA:msg}"]
        tag_on_failure => [ "_grokparsefailure"]
        add_field => { "time" => "%{+YYYY-MM-dd}"}
        add_field => { "timestamp" => "%{time} %{hour}" }
    }
    date {
        target => "@timestamp"
        match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
    }
}

{
 "@timestamp":"2018-07-12T04:00:19.675Z",
 "message":"04:00:19.675 [ActiveMQ Task-9] INFO a.b.c.t.failover.FailoverTransport - Successfully reconnected to ssl://localhost:12345",
 "timestamp":"2018-07-12 04:00:19.675",
 "msg":"[ActiveMQ Task-9] INFO  a.b.c.t.failover.FailoverTransport - Successfully reconnected to ssl://localhost:12345",
 "time":"2018-07-12",
 "@version":"1",
 "hour":"04:00:19.675",
 "host":"logstash-hostname"
}
首先,它会将您的消息与grok模式相匹配,该模式将提取小时并将其保存在字段名
hour
中,其余的将保存在字段名
msg
中,但如果需要,您可以解析其余的

然后,它将添加一个带有YYYY MM dd模式的字段名
time
,例如
2018-07-12

之后,它将创建一个名为
timestamp
的字段
time
hour
字段,这将导致
2018-07-12 4:00:19.675

date
过滤器用于将生成的时间戳用作elastic中的默认时间戳字段,即
@timestamp

此筛选器的日志存储输出如下所示:

filter {
    grok {
        break_on_match => false
        match => ["message","%{TIME:hour} %{GREEDYDATA:msg}"]
        tag_on_failure => [ "_grokparsefailure"]
        add_field => { "time" => "%{+YYYY-MM-dd}"}
        add_field => { "timestamp" => "%{time} %{hour}" }
    }
    date {
        target => "@timestamp"
        match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
    }
}

{
 "@timestamp":"2018-07-12T04:00:19.675Z",
 "message":"04:00:19.675 [ActiveMQ Task-9] INFO a.b.c.t.failover.FailoverTransport - Successfully reconnected to ssl://localhost:12345",
 "timestamp":"2018-07-12 04:00:19.675",
 "msg":"[ActiveMQ Task-9] INFO  a.b.c.t.failover.FailoverTransport - Successfully reconnected to ssl://localhost:12345",
 "time":"2018-07-12",
 "@version":"1",
 "hour":"04:00:19.675",
 "host":"logstash-hostname"
}