Question

来自我的输出，如下所示，

＆＃34;消息＆＃34; =＆gt;＆＃34;＆lt; .......＆＃34;，
＆＃34; @版本＆＃34; =＆GT; ＆＃34; 1＆＃34 ;,
＆＃34; @时间戳＆＃34; =＆GT; ＆＃34; 2016-04-29T02：33：34.586Z＆＃34 ;,
＆＃34;时间戳＆＃34; =＆GT; ＆＃34; 4月29日10：30：37＆＃34;，
＆＃34; syslog_severity_code＆＃34; =＆GT; 5，
＆＃34; syslog_facility_code＆＃34; =＆GT; 1，
＆＃34; SYSLOG_FACILITY＆＃34; =＆GT; ＆＃34;用户级＆＃34 ;,
＆＃34; syslog_severity＆＃34; =＆GT; ＆＃34;通知＆＃34;

我尝试获取字段值

filter
 {
    mutate {
    add_field => {"newfield"=> "timestamp"}
 }

但仍无法获得newfield的时间戳值它会得到

"newfield" => "newfield",

是否有人遇到同样的问题或找到解决方案？欢迎任何帮助来解决这个问题。

Answer 1

这很简单，就这样做：

filter
 {
   mutate {
    add_field => ["newfield"=> "%{timestamp}"]
 }

你可以得到：

   "message" => "test it \b\b",
  "@version" => "1",
"@timestamp" => "2016-04-28T09:16:56.934Z",
      "host" => "bag",
 "timestamp" => "Apr 29 10:30:37",
 "new_field" => "Apr 29 10:30:37"

如何在logstash中获取字段值？

1 个答案: