Logstash 日期过滤器不解析时间
Logstash date filter don’t parse time
我有一个 msi 安装程序格式的日志(只有时间,没有日期):
MSI (c) (F0:8C) [09:00:05:007]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (F0:8C) [09:00:05:007]: Grabbed execution mutex.
MSI (c) (F0:8C) [09:00:05:007]: Cloaking enabled.
MSI (c) (F0:8C) [09:00:05:007]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (F0:8C) [09:00:05:007]: Incrementing counter to disable shutdown. Counter after increment: 0
我想从日志中获取一个时间子串并将其与当前日期合并。
这是我的过滤器配置:
filter {
if "curl" in [tags] {
date {
locale => "en"
match => ["message", "HH:mm:ss:SSS"]
timezone => "+0200"
target => "logtime"
}
mutate {
add_field => {"logdate" => "%{+YYYY-MM-dd}"}
add_field => {"tmp_field" => "%{logdate}_%{logtime}"}
}
date {
locale => "en"
match => ["tmp_field", "YYYY-MM-dd_HH:mm:ss:SSS"]
timezone => "+0200"
remove_field => ["logdate","logtime","tmp_field"]
}
}
}
将日志加载到 logstash 时,过滤器不起作用,我得到每个事件的 _dateparsefailure 标记。
我做错了什么?
为此,您需要隔离时间戳,在您没有日期的情况下,使用 grok
或类似的东西。然后你可以尝试用 date
解析它并开始添加日期。像这样:
filter {
grok {
break_on_match => false
match => ["message","MSI \(c\) \((?<id>[A-F0-9]{2}:[A-F0-9]{2})\) \[%{TIME:time}\]: %{GREEDYDATA:message}"]
tag_on_failure => [ "_grokparsefailure"]
add_field => { "time" => "%{+YYYY-MM-dd}"}
add_field => { "timestamp" => "%{time} %{hour}" }
}
date {
target => "@timestamp"
match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
timezone => "+0200"
}
}
免责声明,这没有经过测试,这是一个想法,可能会有一些小错误,但这是解决这个问题的一般方法。
我有一个 msi 安装程序格式的日志(只有时间,没有日期):
MSI (c) (F0:8C) [09:00:05:007]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (F0:8C) [09:00:05:007]: Grabbed execution mutex.
MSI (c) (F0:8C) [09:00:05:007]: Cloaking enabled.
MSI (c) (F0:8C) [09:00:05:007]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (F0:8C) [09:00:05:007]: Incrementing counter to disable shutdown. Counter after increment: 0
我想从日志中获取一个时间子串并将其与当前日期合并。
这是我的过滤器配置:
filter {
if "curl" in [tags] {
date {
locale => "en"
match => ["message", "HH:mm:ss:SSS"]
timezone => "+0200"
target => "logtime"
}
mutate {
add_field => {"logdate" => "%{+YYYY-MM-dd}"}
add_field => {"tmp_field" => "%{logdate}_%{logtime}"}
}
date {
locale => "en"
match => ["tmp_field", "YYYY-MM-dd_HH:mm:ss:SSS"]
timezone => "+0200"
remove_field => ["logdate","logtime","tmp_field"]
}
}
}
将日志加载到 logstash 时,过滤器不起作用,我得到每个事件的 _dateparsefailure 标记。
我做错了什么?
为此,您需要隔离时间戳,在您没有日期的情况下,使用 grok
或类似的东西。然后你可以尝试用 date
解析它并开始添加日期。像这样:
filter {
grok {
break_on_match => false
match => ["message","MSI \(c\) \((?<id>[A-F0-9]{2}:[A-F0-9]{2})\) \[%{TIME:time}\]: %{GREEDYDATA:message}"]
tag_on_failure => [ "_grokparsefailure"]
add_field => { "time" => "%{+YYYY-MM-dd}"}
add_field => { "timestamp" => "%{time} %{hour}" }
}
date {
target => "@timestamp"
match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
timezone => "+0200"
}
}
免责声明,这没有经过测试,这是一个想法,可能会有一些小错误,但这是解决这个问题的一般方法。