Filter 在Logstatsh中过滤数据
我当前正在日志存储设置中使用以下过滤器:Filter 在Logstatsh中过滤数据,filter,config,logstash,Filter,Config,Logstash,我当前正在日志存储设置中使用以下过滤器: filter { if [type] == "can_robbery" { csv { columns => ["Date","Time","Transit","Region","Address","City","Province","Postal Code","Country","Robbery Type","Amt Stolen","Recovery Amt","Net Loss","Dye Pac","GPS Give
filter {
if [type] == "can_robbery" {
csv {
columns => ["Date","Time","Transit","Region","Address","City","Province","Postal Code","Country","Robbery Type","Amt Stolen","Recovery Amt","Net Loss","Dye Pac","GPS Given?","Dye Pack Success (Arrest/Stained Money)","Decoy","Weapon Displayed","Follow Robbery Guidelines","Guard/Greeter","Cash Platform Analysis","Aggressive","Arrest Info (from donna)","# of Suspects","# Rob in 2 yrs","Crime Risk","Multi-Robbery with same suspect","Disguise","Employee Related","AMIS","Weapon Used? [Y/N]","Decoy (Given Count)","DyePac (Given Count)","GPS Given","Ancillary used?","Notes"]
separator => ","
}
mutate {
replace => [ "date" , "%{Date} %{Time}" ]
}
}
}
我需要在过滤器配置文件中进行哪些更改?最简单的方法是将日期和时间字段合并为一个字段,就像您正在做的那样。我会使用add_字段,并使用更独特的字段名:
mutate {
add_field => [ "myDateTime" , "%{Date} %{Time}" ]
}
date {
match => [ "myDateTime", "mm/dd/YYYY HH:mm:ss" ]
}
如果在此之后不需要myDateTime,可以将其删除。是否可以将其中一个输入字符串放入日志消息?调试它会很有帮助。此外,如果您想更改时间戳值上的时间,您需要使用日志存储中的
date