有没有办法将年份部分附加到 logstash 中的系统日志
Is there a way to append year part to the syslogs in logstash
我是 ELK 堆栈的新手。目前正在处理格式为 :
的系统日志
Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...
使用的grok模式如下:
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_date}\s+%{DATA:node}\s+%{DATA:component_name}\[%{NUMBER:pid}\]\:\s+%{GREEDYDATA:log_message}"]
我需要以下面的格式解析这些日志 kibana,syslog_date 附加当前年份。
当前格式:
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 12:20:02"
}
所需格式:
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 2019 12:20:02"
}
有人可以帮忙吗?或者任何其他可以满足这种情况的方式
您可以使用
根据 logstash 中的 @timestamp 字段添加 "current" 年份
mutate { add_field => { "dateWithYear" => "%{[syslog_date]} %{+YYYY}" } }
但是,有些时候(12 月 31 日午夜刚过)那是错误的年份。日期过滤器有 some handling for this, and there has been discussion about changing 那个。
我是 ELK 堆栈的新手。目前正在处理格式为 :
的系统日志Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...
使用的grok模式如下:
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_date}\s+%{DATA:node}\s+%{DATA:component_name}\[%{NUMBER:pid}\]\:\s+%{GREEDYDATA:log_message}"]
我需要以下面的格式解析这些日志 kibana,syslog_date 附加当前年份。
当前格式:
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 12:20:02"
}
所需格式:
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 2019 12:20:02"
}
有人可以帮忙吗?或者任何其他可以满足这种情况的方式
您可以使用
根据 logstash 中的 @timestamp 字段添加 "current" 年份mutate { add_field => { "dateWithYear" => "%{[syslog_date]} %{+YYYY}" } }
但是,有些时候(12 月 31 日午夜刚过)那是错误的年份。日期过滤器有 some handling for this, and there has been discussion about changing 那个。