我需要将日志的时间戳记用作@timestamp。我尝试了与互联网不同的方法,但在我的情况下却没有奏效
input {
s3 {
bucket => "*"
access_key_id => "*"
secret_access_key => "*"
prefix => "*"
backup_to_bucket => "*"
backup_add_prefix => "*"
region => "*"
delete => *
}
}
filter {
grok {
match => { "message" => "%{IPORHOST:clientip} \[%{TIMESTAMP_ISO8601:logtimestamp}\] %{WORD:protocol} %{GREEDYDATA:uri_path} \"%{WORD:verb} %{DATA:partial_request} HTTP/%{NUMBER:httpversion}\" \"%{GREEDYDATA:User_Agent}\" \"%{GREEDYDATA:request}\" %{NUMBER:response} %{NUMBER:ret1} %{NUMBER:ret2} "}
}
date {
match => ["logtimestamp", "ISO8601"]
target => "@timestamp"
}
mutate
{
remove_field => [ "message" ]
}
}
output {
elasticsearch {
hosts => ["endpoint:9200"]
index => "mywebsite.com"
}
stdout {
codec => rubydebug
}
}
示例日志条目:
46.229.168.134 [17/Jun/2019:08:00:19 +0000] https www.mywebsite.com "GET /somefolder/somefolder/request HTTP/1.1" "Mozilla/5.0 (compatible; someBot/3~bl; +http://www.somebot.com/bot.html)" "" 200 48260 8
它没有显示任何错误,但是@timestamp与日志的时间戳不同,即使我尝试将其转换为浏览器的时区(即配置kibana的方式)。