我的日志文件中的日期和时间格式如下:
[29/02/2020 07:34:27.805] - sc879537 - 10.107.172.25 - 12 - Transaction 2659 COMPLETED 6849 ms wait time 3597 ms
我希望将此值填充到字段中:在 Kibana 中@timestamp,因为目前它包含索引操作时间,而不是日志记录时间。 这是我的日志存储 conf 文件:
input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => ["[%{DATESTAMP:logdate}] - %{USERNAME:user} - %{IPV4:clientip} - %{NUMBER} - %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "logdate", "MM/dd/YYYY HH:mm:ss.SSS" ]
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}
我已经解决了我的问题,这是我的
conf文件:input {
file {
path => "/home/mathis/Documents/intranet-2020-02-25-8400.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => ["[%{DATESTAMP:eventtime}] - %{USERNAME:user} - %{IPV4:clientip} - %{NUMBER} - %{WORD} %{NUMBER:exectime} %{WORD} %{NUMBER:time} %{GREEDYDATA:data} %{NUMBER:waittime}"] }
remove_field => "message"
}
date {
match => [ "eventtime", "dd/MM/YYYY HH:mm:ss.SSS" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-local3-%{+YYYY.MM.dd}"
}
}