- elasticsearch/
elasticsearch Logstash和ElasticSearch筛选器日期@时间戳问题
elasticsearch Logstash和ElasticSearch筛选器日期@时间戳问题
我试图使用
LogstashElasticSearch日期过滤器来替换@timestamp
一切都很好,但是在使用过滤器时,我没有获得所有数据
我不明白为什么@timestamp
值中的Logstash命令行与Elasticsearch
之间存在差异
Logstash形态
Logstash命令行跟踪
弹性搜索结果
请确保您的所有日志都符合格式
您可以在logstash命令行中看到日志的跟踪
26-08-2014 11:16:18021[调试]com.fnx.snapshot.mdb.SnapshotMDB-SnapshotMDB Ctor被调用\r\n
但是,在elastsicsearch中,日志是
15:07565[DEBUG]com.fnx.snapshot.mdb.SnapshotMDB-SnapshotMDB Ctor被调用\r“
两个日志的时间不同,格式也不相同!第二个日志没有关于白天的任何信息,因此将导致grok filter
解析错误。您可以去检查原始日志。或者,如果所有日志都是格式的,您可以提供原始日志示例以供更多讨论
filter {
mutate {
replace => {
"type" => "dashboard_a"
}
}
grok {
match => [ "message", "%{DATESTAMP:Logdate} \[%{WORD:Severity}\] %{JAVACLASS:Class} %{GREEDYDATA:Stack}" ]
}
date {
match => [ "Logdate", "dd-MM-yyyy hh:mm:ss,SSS" ]
}
}
{
**"@timestamp" => "2014-08-26T08:16:18.021Z",**
"message" => "26-08-2014 11:16:18,021 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\r",
"@version" => "1",
"host" => "bts10d1",
"path" => "D:\\ElasticSearch\\logstash-1.4.2\\Dashboard_A\\Log_1\\6.log",
"type" => "dashboard_a",
"Logdate" => "26-08-2014 11:16:18,021",
"Severity" => "DEBUG",
"Class" => "com.fnx.snapshot.mdb.SnapshotMDB",
"Stack" => " - SnapshotMDB Ctor is called\r"
}
{
"_index": "logstash-2014.08.28",
"_type": "dashboard_a",
"_id": "-y23oNeLQs2mMbyz6oRyew",
"_score": 1,
"_source": {
**"@timestamp": "2014-08-28T14:31:38.753Z",
**"message": "15:07,565 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\r",
"@version": "1",
"host": "bts10d1",
"path": "D:\\ElasticSearch\\logstash-1.4.2\\Dashboard_A\\Log_1\\6.log",
"type": "dashboard_a",
"tags": ["_grokparsefailure"]
}
}