使用日志的自定义Java时间戳格式的ELK Logstash中的日期解析问题
[英]Date parsing issue in ELK Logstash with the custom Java timestamp format of logs
问题描述
Following is the sample logs recieved from java application 
以下是从Java应用程序收到的示例日志
2019-04-11 9:08:22:562 Log 1
2019-04-11 9:08:22:660 Log 2
2019-04-11 9:08:43:79 Log 3
2019-04-11 9:08:43:156 Log 4
From above logs, I'm facing issue with Log 3 where the milliseconds value is only 79, but after parsing in the Logstash, the value is set as 790 ms (Logstash parsing is correct, but java log value is wrong). 从上面的日志中,我遇到了Log 3问题,其中毫秒值仅为79,但是在Logstash中解析后,该值设置为790 ms(Logstash解析是正确的,但是java日志值是错误的)。 Actually the value should be 2019-04-11 9:08:43:079 in the log for proper parsing. 实际上,该值应为正确解析日志中的2019-04-11 9:08:43:079 。
Logstash filter is as below: Logstash过滤器如下:
date {
match => [ "log_time", "yyyy-MM-dd HH:mm:ss:SSS", "ISO8601" ]
target => "log_time"
timezone => "CET"
}
On digging deeper, I found the issue is with Java logging with this time format, it will be resolved if the format is yyyy-MM-dd HH:mm:ss.SSS . 在深入研究时,我发现问题在于这种时间格式的Java日志记录,如果格式为yyyy-MM-dd HH:mm:ss.SSS ,则可以解决。 But the logging application uses the format yyyy-MM-dd HH:mm:ss:SSS which causes this issue (Note the difference in format :SSS and .SSS ). 但是日志记录应用程序使用格式yyyy-MM-dd HH:mm:ss:SSS导致此问题(请注意格式:SSS和.SSS )。
I cannot change the logging java system, So is there any workaround with the Logstash filter to fix this issue. 我无法更改日志记录Java系统,因此Logstash筛选器是否有任何解决方法来解决此问题。
1 个解决方案
解决方案1
1 已采纳 2019-04-19 04:55:21
I got it resolved by inserting 0 prefix to the milliseconds having only 2 digits, using following gsub: 我通过使用以下gsub在只有2位数字的毫秒中插入0前缀来解决此问题:
mutate { gsub => [ "log_time", "^([0-9-]+ [0-9]+:[0-9]{2}:[0-9]{2}:)([0-9])$", "\100\2",
"log_time", "^([0-9-]+ [0-9]+:[0-9]{2}:[0-9]{2}:)([0-9]{2})$", "\10\2" ] }
Got help from elastic discuss group 得到了弹性讨论小组的帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.