Logstash日期过滤器不再匹配
[英]Logstash date filter no longer matching
问题描述
I'm working on a cluster of ELK services to deploy internally, and having ironed out my config on some initial test machines I'm now porting that over to a Chef cookbook. 
我正在研究一组ELK服务以在内部进行部署,并且已经在一些初始测试机器上淘汰了配置,现在将其移植到Chef Cookbook。 In order to make my cookbook more extensible I wrote the Logstash config template as a single function that reads the Chef node data and outputs the config. 为了使我的菜谱更具扩展性,我编写了Logstash配置模板作为单个函数,该模板读取Chef节点数据并输出配置。 Some peculiarities with the quoting needed to happen to allow for the nested structure of an LS config file. 为了使LS配置文件具有嵌套结构,需要进行一些特殊的引用。
Anyhow, once I started getting data from my test machines I noticed that once again Logstash was using the timestamp that the event was recieved for @timestamp instead of the timestamp extracted from the event. 无论如何,一旦我开始从测试机上获取数据,我注意到Logstash再次使用了时间戳,该事件接收的是@timestamp而不是从事件中提取的时间戳。 I am at a loss as to why. 我不知道为什么。
Below are config and event samples from my initial test machine, and the current test machine. 以下是我的初始测试机和当前测试机的配置和事件示例。 I've pared down the filter statement to only the date section, and trimmed out all but the relevant event data. 我将过滤器语句缩减为仅date部分,并修剪了除相关事件数据以外的所有内容。
Initial version: 初始版本:
filter {
date {
match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]
target => "@timestamp"
}
}
Parsed Event: 解析事件:
{
"message": "Oct 1 05:32:07 web-01-01 postfix/smtp[12517]: 0E3E263266: to=<foo@blah.com>, relay=mta.blah.net[1.2.3.4]:25, delay=1.4, delays=0.23/0/0.11/1, dsn=2.0.0, status=sent (250 ok dirdel)",
"@timestamp": "2014-10-01T05:32:07.000Z",
"timestamp": "Oct 1 05:32:07",
}
Chef version: 厨师版:
filter {
date {
"match" => [
"timestamp",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"ISO8601"
]
"target" => "@timestamp"
}
}
Parsed Event: 解析事件:
{
"message": "Oct 29 16:45:15 web-01-01 postfix/smtp[18596]: 05D9D63FA0: to=<foo@bla.com>, relay=mailin-01.mx.blah.com[1.2.3.4]:25, delay=1.1, delays=0.03/0/0.34/0.75, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7B67F7000557B)",
"@timestamp": "2014-10-30T18:41:33.660Z",
"timestamp": "Oct 29 16:45:15",
}
Thanks in advance. 提前致谢。
Edit: 编辑:
Here's the full filter section, including the grok section: 这是完整的过滤器部分,其中包括grok部分:
filter {
date {
"match" => [
"timestamp",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"ISO8601"
]
"target" => "@timestamp"
}
grok {
"type" => "postfix"
"patterns_dir" => [
"/opt/logstash/etc/grok_patterns"
]
"pattern" => [
"%{SYSLOGBASE} %{POSTFIXSMTPDCONNECTS}",
"%{SYSLOGBASE} %{POSTFIXSMTPDACTIONS}",
"%{SYSLOGBASE} %{POSTFIXSMTPDTIMEOUTS}",
"%{SYSLOGBASE} %{POSTFIXSMTPDLOGIN}",
"%{SYSLOGBASE} %{POSTFIXSMTPDCLIENT}",
"%{SYSLOGBASE} %{POSTFIXSMTPRELAY}",
"%{SYSLOGBASE} %{POSTFIXSMTPCONNECT}",
"%{SYSLOGBASE} %{POSTFIXSMTP4XX}",
"%{SYSLOGBASE} %{POSTFIXSMTP5XX}",
"%{SYSLOGBASE} %{POSTFIXSMTPREFUSAL}",
"%{SYSLOGBASE} %{POSTFIXSMTPLOSTCONNECTION}",
"%{SYSLOGBASE} %{POSTFIXSMTPTIMEOUT}",
"%{SYSLOGBASE} %{POSTFIXBOUNCE}",
"%{SYSLOGBASE} %{POSTFIXQMGR}",
"%{SYSLOGBASE} %{POSTFIXCLEANUP}"
]
"named_captures_only" => "true"
}
}
Where the postfix patterns are from https://gist.github.com/jbrownsc/4694374 , but I don't imagine that they're terribly important in this case. 后缀模式来自https://gist.github.com/jbrownsc/4694374 ,但是我不认为它们在这种情况下非常重要。
2 个解决方案
解决方案1
1 2015-01-24 04:47:54
I built the following config based on yours, and it works. 我根据您的配置构建了以下配置,并且可以正常工作。 The only weird thing in the config is copying '@message' to 'timestamp'. 配置中唯一奇怪的事情是将'@message'复制到'timestamp'。 This would normally be done by your grok{} (that you didn't post), though we do see that you do have a valid 'timestamp' field. 尽管我们确实看到您确实有一个有效的“时间戳”字段,但这通常是由您的grok {}(您未发布)完成的。
input {
stdin{}
}
filter {
mutate {
add_field => [ "timestamp", "%{message}" ]
}
date {
"match" => [
"timestamp",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"ISO8601"
]
"target" => "@timestamp"
}
}
output {
stdout{ codec => rubydebug }
}
and the output, showing the correctly-set @timestamp. 和输出,显示正确设置的@timestamp。
{
"message" => "Oct 29 16:45:15",
"@version" => "1",
"@timestamp" => "2015-10-29T23:45:15.000Z",
"host" => "0.0.0.0",
"timestamp" => "Oct 29 16:45:15"
}
解决方案2
0 已采纳 2015-08-25 00:19:25
This all appears to come down to the order in which the filters are specified. 这一切似乎都取决于指定过滤器的顺序。 The grok filter is what creates the timestamp field, so if the date filter is specified first it has nothing to operate on. grok过滤器是创建timestamp字段的工具,因此,如果首先指定了日期过滤器,则没有任何操作。
Reversing the order so that grok comes before date has solved the problem, and it only took 10 whole months to figure out! 颠倒顺序以使grok早于日期就解决了问题,而且只花了整整10个月的时间就知道了!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.