我正在与Logstash一起使用多个源文件中的数据。每个源都有一个事件时间戳,可能采用不同的格式。我可以按输入类型进行区分,并为每种时间格式使用date插件的实例:
input {
# Time format: "MM/dd/yy HH:mm:ss"
file {
type => "us_date"
path => "C:log_data/**/us_date.log"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
# Time format: "yyyy/MM/dd HH:mm:ss"
file {
type => "euro_date"
path => "C:log_data/**/euro_date.log"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
filter {
dissect { mapping => { "message" => "%{date_time} %{+date_time} %{msg}"}}
if [type] == "us_date"
{
date { match => [ "date_time" , "MM/dd/yy HH:mm:ss"] }
}
if [type] == "euro_date"
{
date { match => [ "date_time" , yyyy/MM/dd HH:mm:ss] }
}
}
这可行,但是导致代码重复,我宁愿避免。
是否可以将每个输入类型的日期格式存储在一个临时字段或@metadata字段中,并在调用日期插件时解压缩该数据,例如:
input {
# Time format: "MM/dd/yy HH:mm:ss"
file {
type => "us_date"
path => "C:log_data/**/us_date.log"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
add_field => { "[@metadata][time_pattern]" => ["yyyy/MM/dd HH:mm:ss"] }
}
}
filter {
dissect { mapping => { "message" => "%{date_time} %{+date_time} %{msg}"} }
date { match => [ "date_time" , [@metadata][time_pattern] ] }
}
使用ConfigurationError调用Logstash时,以上示例失败:
[2018-07-06T02:05:11,005][ERROR][logstash.agent] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, \", ', -, [, {, ] at line 16, column 31...
错误的全文包含大部分文件内容,为简洁起见,将其省略。
将完全匹配的数组存储在[@metadata][time_pattern] => ["mTS", "yyyy/MM/dd HH:mm:ss"]中会导致不同的配置错误:
[2018-07-06T02:11:27,358][ERROR][logstash.agent] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"translation missing: en.logstash.agent.configuration.invalid_plugin_register", :backtrace=>["D:/ELK/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-filter-date-3.1.9/lib/logstash/filters/date.rb:160:in `initialize'",
我有“每种类型”的解决方法,但我很好奇Logstash配置语法是否以某种方式支持我要执行的操作。