堆栈内存溢出
  简体   繁体   English

如何在logstash上添加新的时间戳字段?

[英]How to add new timestamp field on logstash?

 原文  2016-09-27 14:58:31       elasticsearch/ logstash/ kibana-4

问题描述

I'm parsing a log that have previously loaded in my localhost and I would like to get the event date field in each row as a timestamp, but kibana only can gets it as a string. 我正在解析以前已在本地主机中加载的日志,并且我想获取每一行中的事件日期字段作为时间戳,但kibana仅可以将其作为字符串获取。

Example: I have this event 示例:我有这个活动 

2016/09/27 13:33:49.701 GMT(09/27 15:33:49 +0200) INFO       BILLINGGW  ConvergysDelegate.getCustomer(): Calling getCustomerFromCache: 0001:606523

It was loaded on September 27th 2016, 16:04:53.222 , but the logdate field (the event date) is: 2016/09/27 13:33:49.701 . 它于20169月27日16:04:53.222加载 ,但logdate字段(事件日期)为: 2016/09/27 13:33:49.701

On logstash filter I defined: 在logstash过滤器上,我定义了: 

(?<logdate>%{NUMBER:year}/%{NUMBER:month}/%{NUMBER:day} %{HOUR:hday}:%{MINUTE:min}:%{SECOND:sec}) %{GREEDYDATA:result}

I also proved with: 我还证明了: 

(?<logdate>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} %{HOUR:hday}:%{MINUTE:min}:%{SECOND:sec}) %{GREEDYDATA:result}

And kibana reads logdate like string. kibana读取logdate就像字符串一样。 How can I get that kibana could read it as timestamp? 我如何获得kibana可以将其读取为时间戳的信息?

I proved only with the date: 我只用日期证明: 

(?<logdate>%{NUMBER:year}/%{NUMBER:month}/%{NUMBER:day})

and Kibana interpreted it properly like timestamp, but the problem is how to add correctly the hours, minutes and seconds to the logdate field. 和Kibana像时间戳一样正确地解释了它,但是问题是如何正确地将小时,分钟和秒添加到logdate字段中。

Could anyone help me? 有人可以帮我吗?

Best regards. 最好的祝福。

1 个解决方案

解决方案1
 0  2016-09-28 08:51:17

You'll have to convert from a string to a timestamp, using the date filter . 您必须使用日期过滤器将字符串从时间戳转换为时间戳。 

date {
  match => [ "logdate", "yyyy/MM/dd HH:mm:ss"]
}

This will attempt to parse the logdate field with this date pattern yyyy/MM/dd HH:mm:ss and, if successful, will replace the @timestamp field with the result. 这将尝试使用此日期模式yyyy/MM/dd HH:mm:ss解析logdate字段,如果成功,将用结果替换@timestamp字段。 You can specify another field for the parsed date with the target option. 您可以使用target选项为解析日期指定另一个字段。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 取出字段的第一行并将其添加为Logstash 1.4.0中的新字段 - Take out the first line of a field and add it as a new field in Logstash 1.4.0 如何覆盖logstash中来自json的时间戳字段 - how to override timestamp field coming from json in logstash 如何在logstash配置文件中将“日期”字段转换为时间戳? - How to convert Date field into timestamp in logstash config file? 如何在 logstash 过滤器中添加自动删除字段 - how to add auto remove field in logstash filter 如何在 logstash 过滤器中添加文件中的字段 - How to add a field from a file in logstash filter 如何通过logstash向kibana添加字段 - How to add a field to kibana via logstash 从logstash中的时间戳中提取特定时间字段 - Extract specific time field from timestamp in logstash 使用自定义时间戳值更新logstash中的@timetamp字段 - Update @timetamp field in logstash with custom timestamp value 如何在Logstash ElasticSearch中使用_timestamp - How to use _timestamp in logstash elasticsearch ELK 堆栈中的新字段 - logstash - New field in ELK stack - logstash
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM