我的日志的时间戳格式为:Nov 19 00:06:37
我需要将此格式转换为ISO 8601时间戳并用作@timestamp字段吗?
处理此问题的正确配置是什么?我现在有以下配置:
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:logTimestamp} %{USERNAME:myServer} %{USERNAME:myProcessName}: %{INT:operationType} %{WORD}, \"%{INT} %{WORD}, %{WORD} %{WORD}: /%{WORD}/%{WORD:clientId}/%{WORD}, %{WORD} %{WORD}: %{WORD:myId1}, \"%{WORD:status}\", %{WORD}-%{WORD}: %{INT:sessionId}"
}
}
date {
match => [ "logTimestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
答案 0 :(得分:0)
要将Logstash生成的@timestamp值作为元数据参数更新为grok生成的timestamp或logTimestamp值,请使用日期插件匹配并更新@timestamp的值。
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" } # --> COMBINEDAPACHELOG gives timestamp as output
}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z"] # --> Here match the pattern of timestamp to the format
target => "@timestamp" # --> Here the @timestamp value will be updated
remove_field => ["timestamp"]
}
useragent {
source => "agent"
}
}