Question

我需要将UNIX时间戳字段的值写入@timestamp，这样我才能正确索引流经logstash的数据，我有这部分工作。但是，我还要求@timestamp的值应该是插入时间。为此，我创建了一个临时字段，其中包含@timestamp的原始值。

以下是我的工作内容：

filter {
    csv {
        separator => "  " # <- this white space is actually a tab, don't change it, it's already perfect
        skip_empty_columns => true
        columns => ["timestamp", ...]
    }
    # works just fine
    mutate {
        add_field => {
            "tmp" => "%{@timestamp}"
        }
    }
    # works just fine
    date {
       match => ["timestamp", "UNIX"]
       target => "@timestamp"
    }
    # this works too
    mutate {
        add_field => {
            "[@metadata][indexDate]" => "%{+YYYY-MM-dd}"
        }
    }   
    # @timestamp is not being set back to its original value
    date {
        match => ["tmp", "UNIX"]
        target => "@timestamp"
    }
    # works just fine
    mutate {
        remove_field => ["tmp"]
    }
}

output {
    elasticsearch {
        hosts => "elasticsearch:9200"
        # this works
        index => "indexname-%{[@metadata][indexDate]}"
    }
}

问题在于：

date {
    match => ["tmp", "UNIX"]
    target => "@timestamp"
}

@timestamp未被设置回其原始值。当我检查数据时，它与timestamp字段具有相同的值。

Answer 1

当您将日期添加到tmp时，它会以ISO8601格式添加，因此您需要使用：

date {
    match => ["tmp", "ISO8601"]
    target => "@timestamp"
}

在LogStash中写入@timestamp

1 个答案: