在logstash中的嵌套日期字段上进行筛选
我试图在json中的嵌套日期字段上使用日期过滤器 json代码段:在logstash中的嵌套日期字段上进行筛选,logstash,Logstash,我试图在json中的嵌套日期字段上使用日期过滤器 json代码段: "_source": { "QueryResult": { "Results": [ { "CreationDate": "2016-12-13T05:37:11.953Z", 过滤器配置: filter { date { match => [ "[QueryResult][Results][CreationDate]", "ISO860
"_source": {
"QueryResult": {
"Results": [
{
"CreationDate": "2016-12-13T05:37:11.953Z",
filter {
date {
match => [ "[QueryResult][Results][CreationDate]", "ISO8601" ]
}
}
[2017-01-05T19:40:44,575][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>java.lang.NumberFormatException: For input string: "CreationDate", "backtrace"=>["java.lang.
NumberFormatException.forInputString(java/lang/NumberFormatException.java:65)", "java.lang.Integer.parseInt(java/lang/Integer.java:580)", "java.lang.Integer.parseInt(java/lang/Integer.java:615)", "org.logstash.Accessors.fetch(org/logstash/Accessors.java:130)", "org.logstash.Accessors.get(org/logstas
h/Accessors.java:20)", "org.logstash.Event.getUnconvertedField(org/logstash/Event.java:160)", "org.logstash.Event.getField(org/logstash/Event.java:150)", "org.logstash.filters.DateFilter.executeParsers(org/logstash/filters/DateFilter.java:97)", "org.logstash.filters.DateFilter.receive(org/logstash/f
ilters/DateFilter.java:78)", "java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:497)", "RUBY.multi_filter(/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-date-3.1.1/lib/logstash/filters/date.rb:191)", "RUBY.multi_filter(/usr/share/logstash/logstash-core/lib/logstash/filt
er_delegator.rb:41)", "RUBY.filter_func((eval):42)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:
281)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192)", "or
g.jruby.RubyHash.each(org/jruby/RubyHash.java:1342)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:191)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logsta
sh/util/wrapped_synchronous_queue.rb:191)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294)", "RUBY.worker_loop(/usr/share/logstash/logstash-core/lib/lo
gstash/pipeline.rb:282)", "RUBY.start_workers(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:258)", "java.lang.Thread.run(java/lang/Thread.java:745)"]}
date {
match => [ "[QueryResult][Results][CreationDate]",
"UNIX",
"UNIX_MS",
"ISO8601",
"timestamp",
"yyyy-MM-dd HH:mm:ss.SSS",
"yyyy-MM-dd HH:mm:ss,SSS",
"yyyy-MM-dd HH:mm:ss",
"yyyy/MM/dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"dd/MMM/yyyy:HH:mm:ss Z",
"yyyy-MM-dd HH:mm:ss.SSSZ",
"yyyy-MM-dd'T'HH:mm:ss.SSSZ",
"yyyy-MM-dd'T'HH:mm:ssZ",
"E MMM dd HH:mm:ss yyyy Z" ]
target => "timestamp"
}
任何帮助/线索都将不胜感激。投诉是“java.lang.NumberFormatException:对于输入字符串:“CreationDate”,这意味着它试图在字符串“CreationDate”中查找您的数据格式,而不是您希望它搜索的字符串。感谢Alain的快速响应。所以我可能使用了错误的表达式来匹配日期值。关于第一个表达式应该是什么来匹配CreationDate的日期值,您有什么建议吗?作为一种解决方法,您可以使用一个变异过滤器将嵌套字段简单地复制到文档顶层的字段,然后使用日期过滤器,我会看看是否能重现您的问题并找到真正的解决方案,但我注意到另一件可能相关的事情是,结果是一个数组,索引为0的对象具有CreationDate。尝试使用
[QueryResult][Results][0][CreationDate][QueryResult][Results][0][CreationDate]