采集日志的时候,由于有多个文件共同采集,时间顺序就不对了,所以要把@timestamp设置成日志中的时间。
我的日志格式如下:
[2016-11-01 16:48:24,946] [ERROR] c.b.t.x.x.x.x 200 -- [f8b9e646-363e-4976-ac83-944a99e159ac] failed transferFee EXCEPTION :c.b.t.manager.common.exception.FrontParamException: 错误码:BILLING_FAILED
增加grok,正则获取日志中的日期
filter{
grok{
match => {"message" => "\[(?<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})"}
}
date{
match => ["datetime", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}
}
执行测试:
bin/logstash -e 'input{
stdin{}
}
filter{
grok{
match => {"message" => "\[(?<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})"}
}
date{
match => ["datetime", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}
}
output{
stdout{codec=>rubydebug}
}'
输入上面我的日志格式,返回:
{
"message" => "[2016-11-01 16:48:24,946] [ERROR] c.b.t.x.x.x.x 200 -- [f8b9e646-363e-4976-ac83-944a99e159ac] failed transferFee EXCEPTION :c.b.t.manager.common.exception.FrontParamException: 错误码:BILLING_FAILED",
"@version" => "1",
"@timestamp" => "2016-11-01T08:48:24.946Z",
"host" => "linux21-49",
"datetime" => "2016-11-01 16:48:24,946"
}
可以看到@timestamp已经修改成功了。
正则在线测试地址 grokdebug
https://grokdebug.herokuapp.com
移除
最后,这个datetime在elasticsearch没用,在filter中移除掉。
mutate {
remove => ["datetime"]
}
