elasticsearch ELK-如何从日志文件中选择时间戳而不是插入的时间戳,elasticsearch,logstash,kibana,elasticsearch,Logstash,Kibana" /> elasticsearch ELK-如何从日志文件中选择时间戳而不是插入的时间戳,elasticsearch,logstash,kibana,elasticsearch,Logstash,Kibana" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch ELK-如何从日志文件中选择时间戳而不是插入的时间戳

elasticsearch ELK-如何从日志文件中选择时间戳而不是插入的时间戳

logstash kibana

elasticsearch ELK-如何从日志文件中选择时间戳而不是插入的时间戳,elasticsearch,logstash,kibana,elasticsearch,Logstash,Kibana,我知道有很多解决方案,但我找不到最好的解决方案 我使用的是ELK**5.x,**我试图将Kibana配置为依赖于日志文件的时间戳,而不是插入时间戳 这是来自日志文件的示例: {"@timestamp":"2018-05-01T00:00:44.191Z","@version":"1","host":"x.x.x.x","lt":{"ln":"abc","mp":"2","lo":x.x,"bi":null,"px":x.x,"dm":"x","py":x.x,"pz":x.x.,"apMac":

我知道有很多解决方案,但我找不到最好的解决方案

我使用的是ELK**5.x,**我试图将Kibana配置为依赖于日志文件的时间戳,而不是插入时间戳

这是来自日志文件的示例:

{"@timestamp":"2018-05-01T00:00:44.191Z","@version":"1","host":"x.x.x.x","lt":{"ln":"abc","mp":"2","lo":x.x,"bi":null,"px":x.x,"dm":"x","py":x.x,"pz":x.x.,"apMac":"x:x:x:x:x:x","am":null,"ap":null,"sc":-x,"ar":null,"as":0,"la":x.x,"si":"x:x:x:x:x:x","lh":null,"pn":2,"po":0},"type":"x"}
此日志存储配置文件:

filter {
    grok {
         match => ["message", "%{TIMESTAMP_ISO8601:tstamp}"]
    }

    date {
 match => ["mytimestamp", "dd/MMM/YYYY:HH:mm:ss +ZZZ"]
         }
    }
但Kibana表明:

No results found 
Unfortunately I could not find any results matching your search. I tried really hard. I looked all over the place and frankly, I just couldn't find anything good. Help me, help you. Here are some ideas:
}

您在日期筛选器中使用的格式似乎错误,请使用ISO8601而不是dd/MMM/YYYY:HH:mm:ss+ZZZ 
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:tstamp}"]
}
date {
match => ["tstamp", "ISO8601"]
}