自定义日期时间相同但在grok日期过滤器logstash中不匹配

时间:2017-04-09 21:00:36

标签: elasticsearch logstash logstash-grok logstash-configuration

输入是逗号分隔值: " 2010-08-19"" 09:12:55"" 56095675"

我创建了自定义date_time字段,其格式正确2010-08-19;09:12:55 但不匹配

filter {
 grok {
    match => { "message" => '"(%{GREEDYDATA:cust_date})","(%{TIME:cust_time})","(%{NUMBER:author})"'}
    add_field => {
            "date_time" => "%{cust_date};%{cust_time}"
    }
}

date {
  match => ["date_time", "yyyy-MM-dd;hh:mm:ss"]
  target => "@timestamp"
  add_field => { "debug" => "timestampMatched"}
}

Kibana的输出:

cust_date       August 18th 2010, 20:00:00.000
cust_time       09:12:55
date_time       2010-08-19;09:12:55
message         "2010-08-19","09:12:55","56095675"
tags        beats_input_codec_plain_applied, _dateparsefailure

它给出了_dateparsefailure。字段看起来与匹配模式相同。 我尝试了不同的时间格式,例如YYYY-MM-dd;hh:mm:ssYYYY-MM-dd;HH:mm:ss  我究竟做错了什么? 救命!

1 个答案:

答案 0 :(得分:0)

您应该将date插件放在filter下的grok部分内。

filter {
    grok {
        match => { "message" => '"(%{GREEDYDATA:cust_date})","(%{TIME:cust_time})","(%{NUMBER:author})"'}
    add_field => {
        "date_time" => "%{cust_date};%{cust_time}"
    }

    date {
        match => ["date_time", "yyyy-MM-dd;hh:mm:ss"]
        target => "@timestamp"
       add_field => { "debug" => "timestampMatched"}
    }
}
相关问题
最新问题