我想记录' logdate'作为类型日期,但即使在应用日期过滤器后,我也会获得“注册日期”。键入字符串。这是我的过滤器:
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:logdate}\s%{LOGLEVEL:level} +: +%{WORD:USE_CASE} +: +%{WORD:STEP_DETAIL} +: +\[%{WORD:CIN}\] +: +(?<MID>([^\s]+)) +: +%{GREEDYDATA:MESSAGE_DETAILS}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
add_tag => [ "level:%{level}" ]
add_tag => [ "USE_CASE:%{USE_CASE}" ]
add_tag => [ "CIN:%{CIN}" ]
add_tag => [ "MID-%{MID}" ]
}
date {
match => [ "logdate", "yyyy-MM-dd HH:mm:ss,SSS" ]
target => "@timestamp"
}
}
这是我点击命令后得到的映射
curl -XGET localhost:9200/_mapping?pretty
映射:
"logdate" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
},
我做错了什么?有什么建议吗?
答案 0 :(得分:1)
如果您希望logdate字段为日期字段,则需要将其设为target过滤器的date
date {
match => [ "logdate", "yyyy-MM-dd HH:mm:ss,SSS" ]
target => "logdate"
}
这不会将@timestamp设置为相同的内容,因此您可能需要再次设置@timestamp。