我无法使用logstash日期插件解析日期字段,我的配置如下:
if "test" in [tags] {
csv {
separator => ","
columns => [ "value", "received_date" ]
convert => {
"value" => "float"
}
}
mutate {
gsub => [ "received_date" , ".\d*$" , ""]
}
date {
match => [ "received_date", "yyyy-MM-dd HH:mm:ss" ]
}
}
我得到了错误:
[2018-06-19T11:51:20,583] [WARN] [logstash.outputs.elasticsearch]无法将事件索引到Elasticsearch。 {:status => 400,:action => [“ index”,{:_id =>“ f2d34d84-1ea4-4510-8237-2329a4d1ffba”, :_index =>“ logstash-2018.06.19”,:_type =>“ doc”,:_routing => nil},#],:response => {“ index” => {“ _ index” =>“ logstash-2018.06 .19“,” _ type“ =>” doc“,” _ id“ =>” f2d34d84-1ea4-4510-8237-2329a 4d1ffba“,”状态“ => 400,”错误“ => {”类型“ =>” mapper_parsing_exception“,”原因“ =>”无法解析[接收日期]“,”原因“ => {”类型“ => “ illegal_argument_exception”,“原因” =>“无效的格式:\” 2018-06-19 11:51:15 \“在\” 11:51:15 \“的格式不正确”“}}}}}}
如果我添加目标:
date {
match => [ "received_date", "yyyy-MM-dd HH:mm:ss" ]
target => "received_date"
}
然后它可以工作,但是timestamp字段采用logstash收到输入的日期,这不是我想要的。
目标为何会影响日期解析?
答案 0 :(得分:0)
timestamp字段由于某种原因在Elasticsearch中被映射为日期。
您可以删除timestamp字段,
date {
locale => "en"
remove_field => ["timestamp"]
}