Logstash和ElasticSearch过滤器Date @timestamp问题
[英]Logstash and ElasticSearch filter Date @timestamp issue
问题描述
Im trying to index some data from file to ElasticSearch by using Logstash . 
我试着去指数从文件中的一些数据ElasticSearch使用Logstash 。
If I'm not using the Date filter in order to replace the @timestamp everything works very well, but when in using the filter I do not get all the data. 如果我没有使用Date filter来替换@timestamp一切都很好,但是在使用过滤器时,我没有得到所有数据。
I can't figure out why there is a difference between the Logstash command line and Elasticsearch in the @timestamp value. 我不知道为什么@timestamp值的Logstash command line和Elasticsearch之间存在差异。
Logstash conf Logstash conf
filter {
mutate {
replace => {
"type" => "dashboard_a"
}
}
grok {
match => [ "message", "%{DATESTAMP:Logdate} \[%{WORD:Severity}\] %{JAVACLASS:Class} %{GREEDYDATA:Stack}" ]
}
date {
match => [ "Logdate", "dd-MM-yyyy hh:mm:ss,SSS" ]
}
}
Logstash Command line trace Logstash命令行跟踪
{
**"@timestamp" => "2014-08-26T08:16:18.021Z",**
"message" => "26-08-2014 11:16:18,021 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\r",
"@version" => "1",
"host" => "bts10d1",
"path" => "D:\\ElasticSearch\\logstash-1.4.2\\Dashboard_A\\Log_1\\6.log",
"type" => "dashboard_a",
"Logdate" => "26-08-2014 11:16:18,021",
"Severity" => "DEBUG",
"Class" => "com.fnx.snapshot.mdb.SnapshotMDB",
"Stack" => " - SnapshotMDB Ctor is called\r"
}
ElasticSearch result ElasticSearch结果
{
"_index": "logstash-2014.08.28",
"_type": "dashboard_a",
"_id": "-y23oNeLQs2mMbyz6oRyew",
"_score": 1,
"_source": {
**"@timestamp": "2014-08-28T14:31:38.753Z",
**"message": "15:07,565 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\r",
"@version": "1",
"host": "bts10d1",
"path": "D:\\ElasticSearch\\logstash-1.4.2\\Dashboard_A\\Log_1\\6.log",
"type": "dashboard_a",
"tags": ["_grokparsefailure"]
}
}
1 个解决方案
解决方案1
0 已采纳 2014-08-29 02:41:29
Please make sure all your logs is in format! 请确保您的所有日志均为格式!
You can see in the logstash command line trace the logs is 您可以在logstash命令行跟踪中看到日志为
26-08-2014 11:16:18,021 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\\r
But, in the elastsicsearch the log is 但是,在弹性搜索中,日志是
15:07,565 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\\r",
Two logs have different time and their format are not same! 两个日志的时间不同,格式也不一样! The second one do not have any information about daytime, therefore it will cause the grok filter parsing error. 第二个没有白天的任何信息,因此将导致grok filter解析错误。 You can go to check the origin logs. 您可以检查原始日志。 Or can you provide the origin logs sample for more discussion if all of them are in format! 如果所有格式都正确,您是否可以提供原始日志样本以进行更多讨论!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.