你好,我试图解析一个旧的apache日志,输出有一个正确的时间戳,还有一个@timestamp字段,@ timestamp是现在的日期时间,我怎样才能确保时间戳成为kibana的@timestamp / elasticsearch。 示例输入:
172.31.21.26 - - [20/Jul/2017:22:1``0:52 +0200] "GET /mobile/getParent/NzE4MzU1ZmUtNmIwOC00N2JkLTk1YmYtNmNhZTUyZmVmNGYz HTTP/1.1" 200 452 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 (4301339520)"
conf file:
input {
file {
path=>"/home/ronald/Downloads/log/httpd/short.log"
start_position=>"beginning"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
output {
elasticsearch{
hosts=>"localhost"
index=>"roha_test"
document_type=>"demo1"
}
stdout{
codec => "rubydebug"
}
}
输出:
"request" =>"/mobile/getParent/NzE4MzU1ZmUtNmIwOC00N2JkLTk1YmYtNmNhZTUyZmVmNGYz",
"agent" => "\"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 (4301339520)\"",
"auth" => "-",
"ident" => "-",
"verb" => "GET",
"message" => "172.31.21.26 - - [20/Jul/2017:22:10:52 +0200] \"GET /mobile/getParent/NzE4MzU1ZmUtNmIwOC00N2JkLTk1YmYtNmNhZTUyZmVmNGYz HTTP/1.1\" 200 452 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 (4301339520)\"",
"path" => "/home/ronald/Downloads/log/httpd/short.log",
"referrer" => "\"-\"",
"@timestamp" => 2017-10-06T08:49:10.440Z,
"response" => "200",
"bytes" => "452",
"clientip" => "172.31.21.26",
"@version" => "1",
"host" => "ronald-XPS-13-9343",
"httpversion" => "1.1",
"timestamp" => "20/Jul/2017:22:10:52 +0200"
logstash版本5.6.1
答案 0 :(得分:0)
您必须添加date filter,将void CRender::BoxFilled(float x, float y, float w, float h, DWORD color)
{
vertex V[4];
V[0].color = V[1].color = V[2].color = V[3].color = color;
V[0].z = V[1].z = V[2].z = V[3].z = 0;
V[0].rhw = V[1].rhw = V[2].rhw = V[3].rhw = 0;
V[0].x = x;
V[0].y = y;
V[1].x = x + w;
V[1].y = y;
V[2].x = x + w;
V[2].y = y + h;
V[3].x = x;
V[3].y = y + h;
unsigned short indexes[] = { 0, 1, 3, 1, 2, 3 };
m_pD3dDev->CreateVertexBuffer(4 * sizeof(vertex), D3DUSAGE_WRITEONLY, D3DFVF_XYZRHW | D3DFVF_DIFFUSE, D3DPOOL_DEFAULT, &g_pVB, NULL);
m_pD3dDev->CreateIndexBuffer(2 * sizeof(short), D3DUSAGE_WRITEONLY, D3DFMT_INDEX16, D3DPOOL_DEFAULT, &g_pIB, NULL);
VOID* pVertices;
g_pVB->Lock(0, sizeof(V), (void**)&pVertices, 0);
memcpy(pVertices, V, sizeof(V));
g_pVB->Unlock();
VOID* pIndex;
g_pIB->Lock(0, sizeof(indexes), (void**)&pIndex, 0);
memcpy(pIndex, indexes, sizeof(indexes));
g_pIB->Unlock();
m_pD3dDev->SetTexture(0, NULL);
m_pD3dDev->SetPixelShader(NULL);
m_pD3dDev->SetRenderState(D3DRS_ALPHABLENDENABLE, TRUE);
m_pD3dDev->SetRenderState(D3DRS_SRCBLEND, D3DBLEND_SRCALPHA);
m_pD3dDev->SetRenderState(D3DRS_DESTBLEND, D3DBLEND_INVSRCALPHA);
m_pD3dDev->SetStreamSource(0, g_pVB, 0, sizeof(vertex));
m_pD3dDev->SetFVF(D3DFVF_XYZRHW | D3DFVF_DIFFUSE);
m_pD3dDev->SetIndices(g_pIB);
m_pD3dDev->DrawIndexedPrimitive(D3DPT_TRIANGLELIST, 0, 0, 4, 0, 2);
g_pVB->Release();
g_pIB->Release();
}
字段转换为elasticsearch理解的已解析日期时间对象。类似的东西:
void fillrgba(int x, int y, int w, int h, DWORD color)
{
D3DXVECTOR2 vLine[2];
pLine->SetWidth(w);
pLine->SetAntialias(false);
pLine->SetGLLines(true);
vLine[0].x = x + w / 2;
vLine[0].y = y;
vLine[1].x = x + w / 2;
vLine[1].y = y + h;
pLine->Begin();
pLine->Draw(vLine, 2, color);
pLine->End();
}