我正在尝试解析时间戳并将其存储为date elasticsearch类型。将其存储为字符串类型没有问题,但我想根据此时间戳查询日志。它的格式不是标准格式,并且没有以logstash模式构建。
这就是日期的显示方式:12/24/15 16:37:14:921 CST
有时1/24/15 16:37:14:921 CST
MM/dd/YY HH:mm:ss.SSS z和M/dd/YY HH:mm:ss.SSS z都不起作用。
以下是我的日志示例
[12/24/15 16:37:14:921 CST] 00000094 ApplicationMg A WSVR0204I: Application: <some_project_name> Application build level: Unknown
[12/24/15 16:37:15:436 CST] 00000094 SibMessage W [:] CWSII0269W: The runtime accessed the user repository for <some module name> to populate missing unique name data when loading the authorization model for the bus.
[12/24/15 16:37:15:452 CST] 00000094 SibMessage I [:] CWSII0210I: The authorization policy for the <some module name> has been updated as a result of an administrative update.
[12/24/15 16:37:15:468 CST] 00000094 SibMessage W [:] CWSII0269W: The runtime accessed the user repository for<some module name> to populate missing unique name data when loading the authorization model for the bus.
这是我的logstash配置文件
input {
file {
path => "<path_to_logs_dir>/applevac.log"
codec => multiline {
pattern => "^\[%{TS}\]"
negate => true
what => "previous"
patterns_dir => "..\patterns"
}
start_position => "beginning"
sincedb_path => "since_db"
}
}
filter {
grok {
#includes custom patterns
match => { "message" => "(\[)%{TS}(\])(\s)+%{HEX:thread}(\s)+%{WORD:module}(\s)+%{ULETTER:letter}(\s)+%{EVERYTHING:eventMsg}" }
}
date {
match => ["eventtime","M/dd/YY HH:mm:ss:SSS z"]
}
}
output {
stdout { }
}
如何将出现在[]之间的时间戳存储在elasticsearch中作为日期。我可以通过基于该时间戳映射我的自定义模式TS将其存储为字符串