弹性搜索Elapse插件以获取日志时差
[英]Elastic search Elapse plugin for log time difference
问题描述
Does the Elapse plugin used in ELK to find the time difference uses only the default @timestamp (when the log is ingested to ES) or can we configure to log_time (timestamp from the log)? 
ELK中用于查找时差的Elapse插件仅使用默认的@timestamp(将日志提取到ES时)还是可以配置为log_time(日志中的时间戳)?
My requirement is to find the time difference between two logs which is not input real time to elastic search. 我的要求是找到两个日志之间的时间差,这不是实时输入弹性搜索。
I don't currently have the logs to check it, so will be great get a quick answer. 我目前没有要检查的日志,因此很快得到答复将非常有用。 Thanks in advance. 提前致谢。
1 个解决方案
解决方案1
1 已采纳 2019-03-07 10:24:42
Not sure I understand, but it sounds like the documents you index have a field called 'log_time', but when you index those docs it adds '@timedtamp' field which has a different time in it. 不确定我是否理解,但听起来您索引的文档中有一个名为“ log_time”的字段,但是当您对这些文档进行索引时,它会添加“ @timedtamp”字段,其中的时间不同。
If that is the case, there are two options for you, both will take the value for 'log_type' and copy it to @timestamp field at index time. 在这种情况下,有两个选项供您选择,两个选项都将采用'log_type'的值,并在索引时间将其复制到@timestamp字段。
Either use logstash date filter https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html 要么使用logstash日期过滤器https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
or use ES ingest pipeline with date processor: https://www.elastic.co/guide/en/elasticsearch/reference/master/date-processor.html 或将ES接收管道与日期处理器一起使用: https : //www.elastic.co/guide/zh-cn/elasticsearch/reference/master/date-processor.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.