Logstash 日期过滤器不解析时间

Logstash date filter don’t parse time

我有一个 msi 安装程序格式的日志(只有时间,没有日期):

MSI (c) (F0:8C) [09:00:05:007]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (F0:8C) [09:00:05:007]: Grabbed execution mutex.
MSI (c) (F0:8C) [09:00:05:007]: Cloaking enabled.
MSI (c) (F0:8C) [09:00:05:007]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (F0:8C) [09:00:05:007]: Incrementing counter to disable shutdown. Counter after increment: 0

我想从日志中获取一个时间子串并将其与当前日期合并。
这是我的过滤器配置:

filter {
  if "curl" in [tags] {
    date {
      locale => "en"
      match => ["message", "HH:mm:ss:SSS"]
      timezone => "+0200"
      target => "logtime"
    }
    mutate {
         add_field => {"logdate" => "%{+YYYY-MM-dd}"}
         add_field => {"tmp_field" => "%{logdate}_%{logtime}"}
    }
    date {
      locale => "en"
      match => ["tmp_field", "YYYY-MM-dd_HH:mm:ss:SSS"]
      timezone => "+0200"
      remove_field => ["logdate","logtime","tmp_field"]
    }
  }
}

将日志加载到 logstash 时,过滤器不起作用,我得到每个事件的 _dateparsefailure 标记。
我做错了什么?

为此,您需要隔离时间戳,在您没有日期的情况下,使用 grok 或类似的东西。然后你可以尝试用 date 解析它并开始添加日期。像这样:

filter {
    grok {
        break_on_match => false
        match => ["message","MSI \(c\) \((?<id>[A-F0-9]{2}:[A-F0-9]{2})\) \[%{TIME:time}\]: %{GREEDYDATA:message}"]
        tag_on_failure => [ "_grokparsefailure"]
        add_field => { "time" => "%{+YYYY-MM-dd}"}
        add_field => { "timestamp" => "%{time} %{hour}" }
    }
    date {
        target => "@timestamp"
        match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
        timezone => "+0200"
    }
}

免责声明,这没有经过测试,这是一个想法,可能会有一些小错误,但这是解决这个问题的一般方法。