Logstash - 尝试创建经过的过滤器
Logstash - Trying to create an elapsed filter
我正在尝试创建经过的过滤器,但是经过的字段没有出现。
这是输入:
statement => "SELECT TRANSACTION_ID, COMMUNICATION_ID,
BROKER_NAME, IS_NAME, SERVICE_NAME, OPERATION_NAME, OPERATION_VERSION, MESSAGE_TYPE, APPROACH, CLIENT_ID,
APPLICATION_ID, EXT_SESSION_ID, EXT_TRANSACTION_ID, EXT_ORIGIN, LANG_CODE, EXT_HOST, APPLICATION, CHANNEL,
NUM_RETRIES, STATUS_CODE, STATUS_MSG, DATE_CREATED,
DESTINATION_HOST, OPERATION_ID
FROM IIB_OPER.COMMUNICATION_LOG
WHERE DATE_CREATED > '2018-07-20'"
这是过滤器:
filter {
if [message_type] == "Req" {
mutate {
add_tag => [ "taskStarted" ]
}
}
if [message_type] == "Res" {
mutate {
add_tag => [ "taskTerminated" ]
}
}
elapsed {
unique_id_field => "operation_id"
start_tag => "taskStarted"
end_tag => "taskTerminated"
timeout => 20000
new_event_on_match => true
}
}
在 Kibana 中,在索引模式中,字段出现了,但是当我让 logstash 工作时,经过的字段没有出现。
知道为什么吗?
干杯,
回答我自己的问题...
问题是我正在尝试转换已经在 JSON 中的列以导入到 Elastic,因此可以创建另一个临时日期。
date {
match => [ "temp_date", "yyyy-MM-dd HH:mm:ss,SSS"]
}
if [message_type] == "Req" {
mutate {
add_tag => [ "taskStarted" ]
}
}
if [message_type] == "Res" {
mutate {
add_tag => [ "taskTerminated" ]
}
}
elapsed {
unique_id_field => "operation_id"
start_tag => "taskStarted"
end_tag => "taskTerminated"
timeout => 30
}
还有一点...非常重要...超时以秒为单位,不以毫秒为单位。
干杯,
我正在尝试创建经过的过滤器,但是经过的字段没有出现。 这是输入:
statement => "SELECT TRANSACTION_ID, COMMUNICATION_ID,
BROKER_NAME, IS_NAME, SERVICE_NAME, OPERATION_NAME, OPERATION_VERSION, MESSAGE_TYPE, APPROACH, CLIENT_ID,
APPLICATION_ID, EXT_SESSION_ID, EXT_TRANSACTION_ID, EXT_ORIGIN, LANG_CODE, EXT_HOST, APPLICATION, CHANNEL,
NUM_RETRIES, STATUS_CODE, STATUS_MSG, DATE_CREATED,
DESTINATION_HOST, OPERATION_ID
FROM IIB_OPER.COMMUNICATION_LOG
WHERE DATE_CREATED > '2018-07-20'"
这是过滤器:
filter {
if [message_type] == "Req" {
mutate {
add_tag => [ "taskStarted" ]
}
}
if [message_type] == "Res" {
mutate {
add_tag => [ "taskTerminated" ]
}
}
elapsed {
unique_id_field => "operation_id"
start_tag => "taskStarted"
end_tag => "taskTerminated"
timeout => 20000
new_event_on_match => true
}
}
在 Kibana 中,在索引模式中,字段出现了,但是当我让 logstash 工作时,经过的字段没有出现。
知道为什么吗?
干杯,
回答我自己的问题... 问题是我正在尝试转换已经在 JSON 中的列以导入到 Elastic,因此可以创建另一个临时日期。
date {
match => [ "temp_date", "yyyy-MM-dd HH:mm:ss,SSS"]
}
if [message_type] == "Req" {
mutate {
add_tag => [ "taskStarted" ]
}
}
if [message_type] == "Res" {
mutate {
add_tag => [ "taskTerminated" ]
}
}
elapsed {
unique_id_field => "operation_id"
start_tag => "taskStarted"
end_tag => "taskTerminated"
timeout => 30
}
还有一点...非常重要...超时以秒为单位,不以毫秒为单位。
干杯,