Logstash 时间筛选器字段名:@Kibana中的时间戳
我的日志文件中的日期和时间格式如下:Logstash 时间筛选器字段名:@Kibana中的时间戳,logstash,kibana,logstash-grok,Logstash,Kibana,Logstash Grok,我的日志文件中的日期和时间格式如下: [29/02/2020 07:34:27.805] - sc879537 - 10.107.172.25 - 12 - Transaction 2659 COMPLETED 6849 ms wait time 3597 ms 我希望将此值填充到字段中:@timestamp in Kibana,因为此时它包含索引操作时间,而不是日志记录时间。 这是我的日志存储配置文件: input { file { path => "
[29/02/2020 07:34:27.805] - sc879537 - 10.107.172.25 - 12 - Transaction 2659 COMPLETED 6849 ms wait time 3597 ms
input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => ["\[%{DATESTAMP:logdate}\] \- %{USERNAME:user} \- %{IPV4:clientip} \- %{NUMBER} \- %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "logdate", "MM/dd/YYYY HH:mm:ss.SSS" ]
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}
input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => ["\[%{DATESTAMP:eventtime}\] \- %{USERNAME:user} \- %{IPV4:clientip} \- %{NUMBER} \- %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "eventtime", "dd/MM/YYYY HH:mm:ss.SSS" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}
我已经解决了我的问题,这是我的conf文件:
input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => ["\[%{DATESTAMP:logdate}\] \- %{USERNAME:user} \- %{IPV4:clientip} \- %{NUMBER} \- %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "logdate", "MM/dd/YYYY HH:mm:ss.SSS" ]
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}
input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => ["\[%{DATESTAMP:eventtime}\] \- %{USERNAME:user} \- %{IPV4:clientip} \- %{NUMBER} \- %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "eventtime", "dd/MM/YYYY HH:mm:ss.SSS" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}
我已经解决了我的问题,这是我的conf文件:
input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => ["\[%{DATESTAMP:logdate}\] \- %{USERNAME:user} \- %{IPV4:clientip} \- %{NUMBER} \- %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "logdate", "MM/dd/YYYY HH:mm:ss.SSS" ]
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}
input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => ["\[%{DATESTAMP:eventtime}\] \- %{USERNAME:user} \- %{IPV4:clientip} \- %{NUMBER} \- %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "eventtime", "dd/MM/YYYY HH:mm:ss.SSS" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}