我遇到了从JSON解析设置时间戳的问题。
我有这个字符串:
[{"orderNumber":"423523-4325-3212-4235-463a72e76fe8","externalOrderNumber":"reactivate_22d6ff0d8f55eb821be14df9d35505a6","operation":{"name":"CAPTURE","amount":134,"status":"SUCCESS","createdAt":"2015-05-11T09:14:30.969Z","updatedAt":{}}}]
我使用此Logstash过滤器将其解析为json:
grok {
match => { "message" => "\[%{GREEDYDATA:firstjson}\]%{SPACE} \[%{GREEDYDATA:secondjson}\}]}]"}
}
json{
source => "firstjson"
}
date {
match => [ "operation.createdAt", "ISO8601"]
}
mutate {
remove_field => [ "firstjson", "secondjson" ]
}
}
这会在ElasticSearch中创建一个文档。我有一个名为operation.createdAt的字段,它被正确识别为日期字段。但出于某种原因,这一行:
date {
match => [ "operation.createdAt", "ISO8601"]
}
未设置@timestamp字段。当前@timestamp字段在文档插入时设置。我做错了什么?
答案 0 :(得分:0)
感谢ES Logstash Community的好人,我找到了答案。
而不是:
date {
match => [ "operation.createdAt", "ISO8601"]
}
我用这个:
date {
match => [ "[operation][createdAt]", "ISO8601"]
}
并正确提取和解析JSON时间对象。