将字符串转换为 json DATA 中 logstash 中的日期
Convert a string to date in logstash in json DATA
来自这个源数据
2022-01-21 12:25:01,339 {"category":"runtime","some_id":"order","correlation_id":"OEID_1","servid":"143","provision_id":"898769049","operation_name":"CREATE", "processing_state":"ACTIVE","lifecycle_state":"ACTIVE","created":"2022-01-21 12:25:00,369","changed":"2022-01-21 12:25:00,806","runtime":"0.437"}
和我的基本 logstash 配置
filter {
grok {
match => { message => "^%{TIMESTAMP_ISO8601:logdate}%{SPACE}*%{DATA:json}$" }
add_tag => [ "matched", "provisioning_runtime" ]
}
json {
source => "json"
add_tag => [ "json" ]
}
# matcher for the @timestamp
date {
match => [ "logdate", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
}
我尝试将创建的字段从字符串转换为日期字段,但没有替换@timestamp 字段。如何在配置中插入这个,我不明白这个,我试过都没有用
你可以使用像
这样的东西
date {
match => [ "logdate", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "logdate"
}
Here 的文档。
据我了解,您还想将创建和更改的日期值转换为日期值。可以这样做:
filter {
grok {
match => { message => "^%{TIMESTAMP_ISO8601:logdate}%{SPACE}*%{DATA:json}$" }
add_tag => [ "matched", "provisioning_runtime" ]
}
json {
source => "json"
add_tag => [ "json" ]
}
# matcher for the @timestamp
date {
match => [ "logdate", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
}
# matcher for the created
date {
match => [ "created", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "created"
}
# matcher for the changed
date {
match => [ "changed", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "changed"
}
}
来自这个源数据
2022-01-21 12:25:01,339 {"category":"runtime","some_id":"order","correlation_id":"OEID_1","servid":"143","provision_id":"898769049","operation_name":"CREATE", "processing_state":"ACTIVE","lifecycle_state":"ACTIVE","created":"2022-01-21 12:25:00,369","changed":"2022-01-21 12:25:00,806","runtime":"0.437"}
和我的基本 logstash 配置
filter {
grok {
match => { message => "^%{TIMESTAMP_ISO8601:logdate}%{SPACE}*%{DATA:json}$" }
add_tag => [ "matched", "provisioning_runtime" ]
}
json {
source => "json"
add_tag => [ "json" ]
}
# matcher for the @timestamp
date {
match => [ "logdate", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
}
我尝试将创建的字段从字符串转换为日期字段,但没有替换@timestamp 字段。如何在配置中插入这个,我不明白这个,我试过都没有用
你可以使用像
这样的东西 date {
match => [ "logdate", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "logdate"
}
Here 的文档。
据我了解,您还想将创建和更改的日期值转换为日期值。可以这样做:
filter {
grok {
match => { message => "^%{TIMESTAMP_ISO8601:logdate}%{SPACE}*%{DATA:json}$" }
add_tag => [ "matched", "provisioning_runtime" ]
}
json {
source => "json"
add_tag => [ "json" ]
}
# matcher for the @timestamp
date {
match => [ "logdate", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
}
# matcher for the created
date {
match => [ "created", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "created"
}
# matcher for the changed
date {
match => [ "changed", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "changed"
}
}