我想创建@timestamp字段的副本,使其使用与@timestamp相同的格式。
我尝试了以下内容:
mutate
{
add_field => ["read_time", "%{@timestamp}"]
}
但@timestamp的格式为:2014-08-01T18:34:46.824Z,
read_time采用此格式2014-08-01 18:34:46.824 UTC
这是一个问题,因为Kibana不理解直方图的“UTC”格式。
有没有办法使用日期过滤器来执行此操作?
答案 0 :(得分:11)
Kibana无法理解,因为read_time字段是字符串,而不是时间戳!
您可以使用ruby过滤器来执行您需要的操作。只需将@timestamp复制到新字段read_time,字段时间为时间戳,而不是字符串。 add_field是添加字符串类型的新字段!
这是我的配置:
input {
stdin{}
}
filter {
ruby {
code => "event['read_time'] = event['@timestamp']"
}
mutate
{
add_field => ["read_time_string", "%{@timestamp}"]
}
}
output {
stdout {
codec => "rubydebug"
}
}
您可以尝试查看输出,输出为:
{
"message" => "3243242",
"@version" => "1",
"@timestamp" => "2014-08-08T01:09:49.647Z",
"host" => "BENLIM",
"read_time" => "2014-08-08T01:09:49.647Z",
"read_time_string" => "2014-08-08 01:09:49 UTC"
}
希望这可以帮到你。
答案 1 :(得分:2)
您不需要运行任何Ruby代码。您只需使用add_field的Mutate filter plugin设置:
mutate {
# Preserve "@timestamp" as "logstash_intake_timestamp"
add_field => { "logstash_intake_timestamp"=> "%{@timestamp}" }
}
date {
# Redefines "@timestamp" field from parsed timestamp, rather than its default value (time of ingestion by Logstash)
# FIXME: include timezone:
match => [ "timestamp_in_weird_custom_format", "YYYY-MM-dd HH:mm:ss:SSS" ]
tag_on_failure => ["timestamp_parse_failed"]
target => "@timestamp"
}