1

我正在尝试根据我的时区调整返回的日期时间值。我的通知如下所示:

An abnormally low number of events occurred around 2016-09-28 22:49 CEST.

这是参考我的时区的正确日期。在通知的字段部分中,我有时间进入 UTC-0 区域:

@timestamp: 2016-09-28T20:49:44.711696Z

我曾尝试以这种方式使用增强功能,请提交..\elastalert\elastalert_modules

from datetime import datetime
from elastalert.enhancements import BaseEnhancement

class TimeEnhancement(BaseEnhancement):
    def process(self, match):
        if '@timestamp' in match:
            now = datetime.now()
            hours2 = datetime(0, 0, 0, 2, 0, 0)
            match['@timestamp'] = now + hours2

我还在规则中添加了用法:

match_enhancements:
- "elastalert_modules.my_enhancements.TimeEnhancement"

只是为了测试,不是为了最终的解决方案

4

2 回答 2

1

在github上的一些帮助下,我设法得到了一些有用的东西(我认为它将日期时间格式化为服务器正在运行的同一时区)Python2:

from elastalert.util import pretty_ts
from elastalert.enhancements import BaseEnhancement


class TimeEnhancement(BaseEnhancement):
    def process(self, match):
        for k, v in match.items():
            if isinstance(v, basestring) and v.endswith('Z'):
                try:
                    match[k] = pretty_ts(v)
                except:
                    pass

Python3:

from elastalert.util import pretty_ts
from elastalert.enhancements import BaseEnhancement


class TimeEnhancement(BaseEnhancement):
    def process(self, match):
        for k, v in match.items():
            if isinstance(v, str) and v.endswith('Z'):
                try:
                    match[k] = pretty_ts(v)
                except:
                    pass
于 2017-01-16T12:58:24.967 回答
0

@Peter 的替代方法,因为我只需要一个带有本地时间的字段。

from elastalert.util import pretty_ts
from elastalert.enhancements import BaseEnhancement


class TimeEnhancement(BaseEnhancement):
    '''
    Add local @timestamp (server time)
    '''

    def process(self, match):
        if '@timestamp' in match:
            ts = match['@timestamp']
            if isinstance(ts, str) and ts.endswith('Z'):
                match['@timestamp_local'] = pretty_ts(ts)
于 2020-08-20T08:03:27.270 回答