Question

我目前在我的logstash设置中使用以下过滤器：

filter {
  if [type] == "can_robbery" {
    csv {
      columns => ["Date","Time","Transit","Region","Address","City","Province","Postal Code","Country","Robbery Type","Amt Stolen","Recovery Amt","Net Loss","Dye Pac","GPS Given?","Dye Pack Success (Arrest/Stained Money)","Decoy","Weapon Displayed","Follow Robbery Guidelines","Guard/Greeter","Cash Platform Analysis","Aggressive","Arrest Info (from donna)","# of Suspects","# Rob in 2 yrs","Crime Risk","Multi-Robbery with same suspect","Disguise","Employee Related","AMIS","Weapon Used? [Y/N]","Decoy (Given Count)","DyePac (Given Count)","GPS Given","Ancillary used?","Notes"]
      separator => ","
    }

    mutate {
      replace => [ "date" , "%{Date} %{Time}" ]
    }
  }
}

我得到的是：

＆＃34; @ timestamp＆＃34;：＆＃34; 2014-11-18T16：32：48.807Z＆＃34;，

＆＃34;输入＆＃34;：＆＃34; can_robbery＆＃34;，

＆＃34;主持人＆＃34;：＆＃34; digitalevidence-ThinkCentre-M58p＆＃34;，

＆＃34; path＆＃34;：＆＃34; /home/digitalevidence/temp/canada/robbery.csv" ;,

＆＃34;日期＆＃34;：＆＃34; 9/29/2014＆＃34;，

＆＃34;时间＆＃34;：＆＃34; 17：50：00＆＃34;，

我想要的是：

＆＃34; @ timestamp＆＃34;：＆＃34; 2014-09-29T17：50：00.000Z＆＃34;，

＆＃34;输入＆＃34;：＆＃34; can_robbery＆＃34;，

＆＃34;主持人＆＃34;：＆＃34; digitalevidence-ThinkCentre-M58p＆＃34;，

＆＃34; path＆＃34;：＆＃34; /home/digitalevidence/temp/canada/robbery.csv" ;,

＆＃34;日期＆＃34;：＆＃34; 9/29/2014＆＃34;，

＆＃34;时间＆＃34;：＆＃34; 17：50：00＆＃34;，

我的过滤器配置文件需要进行哪些更改？

Answer 1

最简单的方法是将日期和时间字段合并为一个，就像你正在做的那样。我本来会使用add_field并使用更明确的字段名称：

mutate {
  add_field => [ "myDateTime" , "%{Date} %{Time}" ]
}

此字段的外观如下：9/29/2014 17:50:00

然后，您可以使用日期过滤器将@timestamp字段替换为新值。

date {
  match => [ "myDateTime", "mm/dd/YYYY HH:mm:ss" ]
}

（我不是100％的模式，但它很接近）。

如果您在此之后不需要myDateTime，则可以将其删除。

在Logstash中过滤数据

1 个答案: