我正在尝试通过filebeat将jetty日志导入elasticsearch。
日志格式如下:
Sep 06, 2017 8:06:32 PM com.nphase.redcapcloud.server.managers.rules.RuleRunAsync executeSync
INFO: Rule execution start: 3-6 Month Follow Up - Hide Imaging Form
logstash配置如下所示:
filter {
if "jetty" in [service] {
grok {
match => { "message" => ["%{MONTH:[system][jetty][month]} %{MONTHDAY:[system][jetty][day]}, %{YEAR:[system][jetty][year]} %{TIME:[system][jetty][time]}%{CRON_ACTION:[system][jetty][day_period]} %{NOTSPACE:[system][jetty][class]} %{WORD:[system][jetty][method]}\n%{GREEDYMULTILINE:[system][jetty][multiline]}"]}
pattern_definitions => {
"GREEDYMULTILINE" => "(.|\r|\n)*"
}
}
mutate {
add_field => {
"timestamp_match" => "%{[system][jetty][month]} %{[system][jetty][day]}, %{[system][jetty][year]} %{[system][jetty][time]}%{[system][jetty][day_period]}"
}
}
date {
match => [ "timestamp_match",
"MM dd, YYYY KK:mm:ss aa",
"MM d, YYYY KK:mm:ss aa" ]
timezone => "UTC"
}
}
}
我尝试将日期与timestamp_match字段匹配,但它无效。什么可能是错的?
答案 0 :(得分:1)
date {
match => [ "timestamp_match",
"MMM dd, YYYY KK:mm:ss aa",
"MMM d, YYYY KK:mm:ss aa" ]
timezone => "UTC"
}
日期匹配需要MMM,因为这个月有3个字母。