目前,我的doc看起来像这样(rubydebug输出):
{
"Timestamp" => 2016-06-20 12:51:14 UTC,
"EventDate" => 2016-06-20 12:51:10 UTC,
"Message" => "Failed to create the specified culture en-AF.",
"ProcessId" => 660,
"ProviderId" => "92bd94ca-02d2-5632-8907-3c6321d43fca",
"ProviderName" => "epicuro",
"Task" => 63133,
"ThreadId" => 5100,
"Version" => 0,
"@version" => "1",
"@timestamp" => "2016-06-20T12:51:57.706Z",
"type" => "epicuroLogs",
"@id" => "epicuro.Api_2519358737299533641_FFFFFFFB"
}
我想使用“Timestamp”字段中的数据作为“@timestamp”的数据,但我无法弄清楚如何做到这一点。看起来@timestamp需要一个字符串,但Timestamp是某种对象? (注意缺少的引号)。日期过滤器需要一个字符串作为我可以告诉的输入。
我该怎么做?
答案 0 :(得分:0)
也许你可以试试这个。希望这是你想要的。
date {
match => [ "Timestamp" , "yyyy-MM-dd HH:mm:ss"]
timezone => "UTC"
}