Logstash日期解析不同

时间:2018-09-19 15:30:29

标签: logstash

我正在尝试创建一个过滤器来解析日志文件中的日期。过滤器的设置如下:

filter {
    date {
            match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
    }
}

相关日志消息的结构如下:

[2018-09-18 10:13:17,623] [main] INFO  com.test.pack - Message
[2018-09-18 10:13:17,634] [main] INFO  com.test.pack - Message
[2018-09-18 10:13:17,641] [main] INFO  com.test.pack - Message

Logstash的输出是:

{
      "host" => "hostname",
"@timestamp" => 2018-09-19T15:19:50.561Z,
   "message" => "[2018-09-18 10:13:17,623] [main] INFO com.test.pack - Message",
      "path" => "/path/to/file.log",
  "@version" => "1"
}
{
      "host" => "hostname",
"@timestamp" => 2018-09-19T15:19:50.561Z,
   "message" => "[2018-09-18 10:13:17,634] [main] INFO com.test.pack - Message",
      "path" => "/path/to/file.log",
  "@version" => "1"
}
{
      "host" => "hostname",
"@timestamp" => 2018-09-19T15:19:50.561Z,
   "message" => "[2018-09-18 10:13:17,641] [main] INFO com.test.pack - Message",
      "path" => "/path/to/file.log",
  "@version" => "1"
}

因此,logstash时间戳在日期和时间上都不同。日期在 17th 上的日志消息也显示为 19th 。有什么想法可以过滤吗?

1 个答案:

答案 0 :(得分:2)

您还将需要一个grok过滤器i来从消息中提取时间戳。请尝试这样的事情。

filter {
    grok {
            match => {"message" => "[%{TIMESTAMP_ISO8601:timestamp}] [main] %{GREEDYDATA:restOfMessage}"}
  }
    date {
            match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
             timezone => "Etc/UCT"
    }
}

请在https://www.joda.org/joda-time/timezones.html此处适当选择时区。可能是EST5EDT,EST,UTC或其他名称。

相关问题
最新问题