我现在已经尝试了几个小时,但grok根本不想正确解析时间戳:
消息:
Tue, 13 Oct 2015 21:30:26 GMT users_service Three users logged in.
.conf文件:
input { stdin { } }
filter {
grok {
match => { "message" => "%{DAY:day}, %{MONTHDAY:month_day} %{MONTH:month} %{YEAR:year} %{TIME:time} GMT %{WORD:service} %{GREEDYDATA:message_entry}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "timestamp", "dd MMM yyyy HH:mm:ss" ]
locale => "en"
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
我得到的是:
{
"message" => "Tue, 13 Oct 2015 21:30:26 GMT users_service Three users logged in.",
"@version" => "1",
"@timestamp" => "2015-10-13T23:09:58.738Z",
"host" => "users_host",
"day" => "Tue",
"month_day" => "13",
"month" => "Oct",
"year" => "2015",
"time" => "21:30:26",
"service" => "users_service",
"message_entry" => "Three users logged in.",
"received_at" => "2015-10-13T23:09:58.738Z",
"received_from" => "users_host"
}
我当时希望有一个timestamp字段,但是没有。
答案 0 :(得分:0)
如您所见,grok {}正在为您制作几个字段。 date {}期望单个字段和该字段的格式,但配置中没有任何内容将它们组合回单个时间戳'您可以使用的字段。
您有两种选择:制作一个不同的grok模式,将所有日期/时间内容放入一个字段,然后将其(使用正确的模式信息)传递到日期{},或使用add_field创建一个新字段你拥有的所有作品。
答案 1 :(得分:0)
您配置的date过滤器需要记录中的"timestamp"字段。目前,您的记录中不包含具有该名称和预期内容的字段。
您可以使用消息中匹配的数据和grok设置在add_field过滤器中创建所需字段,然后在日期过滤器成功时删除临时字段:
filter {
grok {
match => {
"message" => "%{DAY:day}, %{MONTHDAY:month_day} %{MONTH:month} %{YEAR:year} %{TIME:time} GMT %{WORD:service} %{GREEDYDATA:message_entry}"
}
add_field => {
"received_at" => "%{@timestamp}"
"received_from" => "%{host}"
"timestamp" => "%{month_day} %{month} %{year} %{time}"
}
}
date {
match => [ "timestamp", "dd MMM yyyy HH:mm:ss" ]
locale => "en"
remove_field => [ "timestamp" ]
}
}