我有 logstash 过滤器配置,如下所示:
(Sorry for bad English)当它将带有日期和时间的Apache Tomcat Server日志消息过滤为:
filter{
...
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}
...
}
生成message => [2015-12-03 16:46:49,240]
字段为:
@timestamp我能理解的是 "@timestamp" => "2015-12-03T21:46:49.240Z"
。
解决这个问题:
我在过滤器添加时区内修改了日期部分,如下所示:
timestamp field generated by logstash is 5 hours ahead of time of what is present in tomcat log message哪个不起作用,然后我在过滤器中添加了ruby块,使 date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
target => "@timestamp"
timezone =>"EST"
add_field => { "debug" => "timestampMatched"}
}
字段与服务器日志消息匹配,没有运气,如下所示:
@timestamp知道如何将 ruby {
code => "event['@timestamp'] = LogStash::Timestamp.new(Time.at(event['@timestamp'].to_i()).getlocal('-05:00'))"
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}
字段与服务器日志消息中的日期和时间字段匹配?
感谢。