0

我已经尝试了几个小时,但 grok 根本不想正确解析时间戳:

信息:

Tue, 13 Oct 2015 21:30:26 GMT users_service Three users logged in.

.conf 文件:

input { stdin { } }

filter {
  grok {
    match => { "message" => "%{DAY:day}, %{MONTHDAY:month_day} %{MONTH:month} %{YEAR:year} %{TIME:time} GMT %{WORD:service} %{GREEDYDATA:message_entry}" }
    add_field => [ "received_at", "%{@timestamp}" ]
    add_field => [ "received_from", "%{host}" ]
  }
  date {
    match => [ "timestamp", "dd MMM yyyy HH:mm:ss" ]
    locale => "en"
  }
}

output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}

我得到的是:

{
          "message" => "Tue, 13 Oct 2015 21:30:26 GMT users_service Three users logged in.",
         "@version" => "1",
       "@timestamp" => "2015-10-13T23:09:58.738Z",
             "host" => "users_host",
              "day" => "Tue",
        "month_day" => "13",
            "month" => "Oct",
             "year" => "2015",
             "time" => "21:30:26",
          "service" => "users_service",
    "message_entry" => "Three users logged in.",
      "received_at" => "2015-10-13T23:09:58.738Z",
    "received_from" => "users_host"
}

我原以为那里有一块timestamp田地,但没有。

4

2 回答 2

0

您配置的date过滤器需要"timestamp"记录中的一个字段。目前,您的记录不包含具有该名称和预期内容的字段。

grok您可以使用您在消息中匹配的数据和设置在过滤器中创建所需的字段,add_field然后在日期过滤器成功时删除临时字段:

filter {
  grok {
    match => {
      "message" => "%{DAY:day}, %{MONTHDAY:month_day} %{MONTH:month} %{YEAR:year} %{TIME:time} GMT %{WORD:service} %{GREEDYDATA:message_entry}"
    }
    add_field => {
      "received_at" => "%{@timestamp}"
      "received_from" => "%{host}"
      "timestamp" => "%{month_day} %{month} %{year} %{time}"
    }
  }

  date {
    match => [ "timestamp", "dd MMM yyyy HH:mm:ss" ]
    locale => "en"
    remove_field => [ "timestamp" ]
  }
}
于 2015-11-06T05:40:04.917 回答
0

如您所见,grok{} 正在为您创建几个字段。date{} 期望单个字段和该字段的格式,但配置中没有任何内容将它们组合回您可以使用的单个“时间戳”字段。

您有两个选择:创建一个不同的 grok 模式,将所有日期/时间内容放入一个字段,然后将其(使用正确的模式信息)传递给 date{},或者使用 add_field 从所有部分创建一个新字段你有。

于 2015-10-13T23:26:02.147 回答