如何在Elasticsearch 5.x和Filebeat中解析日期
[英]How to parse date in elasticsearch 5.x and Filebeat
问题描述
I am using elasticsearch 5.x and Filebeat and want to know if there is a way of parsing date(timestamp) directly in filebeat (don't want to use logstash). 
我正在使用Elasticsearch 5.x和Filebeat,想知道是否有一种直接在Filebeat中解析日期(时间戳)的方法(不想使用Logstash)。 I am using json.keys_under_root: true and it works great, but the problem is that timestamp (on us) is recognised as string. 我正在使用json.keys_under_root: true ,它工作得很好,但是问题是(在我们json.keys_under_root: true )时间戳被识别为字符串。 All of the other fields were automatically recognised as correct types only this one isn't. 其他所有字段都自动被识别为正确的类型,只有这不是。
How can I map it as date? 如何将其映射为日期?
1 个解决方案
解决方案1
4 已采纳 2017-05-15 22:56:45
You can use Filebeat with the ES Ingest Node feature to parse your timestamp field and apply the value to the @timestamp field. 您可以将Filebeat与ES Ingest Node功能一起使用来解析您的timestamp字段,并将该值应用于@timestamp字段。
You would setup a simple pipeline in Elasticsearch that applies a date to incoming events. 您将在Elasticsearch中设置一个简单的管道,该管道将日期应用于传入事件。
PUT _ingest/pipeline/my-pipeline
{
"description" : "parse timestamp and update @timestamp",
"processors" : [
{
"date" : {
"field" : "timestamp",
"target_field" : "@timestamp"
}
},
{
"remove": {
"field": "timestamp"
}
}
],
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
]
}
Then in Filebeat configure the elasticsearch output to push data to your new pipeline. 然后在Filebeat中配置 elasticsearch输出以将数据推送到新管道。
output.elasticsearch:
hosts: ["http://localhost:9200"]
pipeline: my-pipeline
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.