• 最重要的是@timestamp,用来标记事件的发生时间。

    [elk@node01 conf]$ logstash -f logstash.conf 
Settings: Default pipeline workers: 4
hellow world
Pipeline main started
{
       "message" => "hellow world",
      "@version" => "1",
    "@timestamp" => "2017-07-02T05:33:12.865Z",
          "host" => "0.0.0.0"
}


最重要的是@timestamp,用来标记事件的发生时间。

因为这个字段涉及Logstash涉及Logstash 的内部流转,所以必须是一个joda对象,如果你尝试自己给一个字符串重命名为
@timestamp,logstash会报错
[elk@node01 conf]$ cat logstash.conf 
input {
   stdin{}
}

filter {  
    grok {  
        match => ["message", "%{HTTPDATE:logdate}"]  
    } 

 mutate {
            rename => {"logdate" => "currtime"}
}
}
output {
  stdout {
    codec =>rubydebug {}
}
}

[elk@node01 conf]$ logstash -f logstash.conf 
Settings: Default pipeline workers: 4
Pipeline main started
12/Sep/2016:21:32:33 +0800
{
       "message" => "12/Sep/2016:21:32:33 +0800",
      "@version" => "1",
    "@timestamp" => "2017-07-02T20:08:03.318Z",
          "host" => "0.0.0.0",
      "currtime" => "12/Sep/2016:21:32:33 +0800"
}



如果把logdate替换为@timestamp呢?


[elk@node01 conf]$ cat logstash.conf 
input {
   stdin{}
}

filter {  
    grok {  
        match => ["message", "%{HTTPDATE:logdate}"]  
    } 

 mutate {
            rename => {"logdate" => "@timestamp"}
}
}
output {
  stdout {
    codec =>rubydebug {}
}
}

[elk@node01 conf]$ logstash -f logstash.conf 
Settings: Default pipeline workers: 4
Pipeline main started
12/Sep/2016:21:32:33 +0800
Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>#<TypeError: The field '@timestamp' must be a (LogStash::Timestamp, not a String (12/Sep/2016:21:32:33 +0800)>, "backtrace"=>["/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-event-2.3.4-java/lib/logstash/event.rb:128:in `[]='", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-2.0.6/lib/logstash/filters/mutate.rb:247:in `rename'", "org/jruby/RubyHash.java:1342:in `each'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-2.0.6/lib/logstash/filters/mutate.rb:243:in `rename'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-2.0.6/lib/logstash/filters/mutate.rb:217:in `filter'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/filters/base.rb:151:in `multi_filter'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/filters/base.rb:148:in `multi_filter'", "(eval):68:in `filter_func'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:267:in `filter_batch'", "org/jruby/RubyArray.java:1613:in `each'", "org/jruby/RubyEnumerable.java:852:in `inject'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:265:in `filter_batch'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:223:in `worker_loop'", "/usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:201:in `start_workers'"], :level=>:error}
TypeError: The field '@timestamp' must be a (LogStash::Timestamp, not a String (12/Sep/2016:21:32:33 +0800)
            []= at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-event-2.3.4-java/lib/logstash/event.rb:128
         rename at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-2.0.6/lib/logstash/filters/mutate.rb:247
           each at org/jruby/RubyHash.java:1342
         rename at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-2.0.6/lib/logstash/filters/mutate.rb:243
         filter at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-2.0.6/lib/logstash/filters/mutate.rb:217
   multi_filter at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/filters/base.rb:151
           each at org/jruby/RubyArray.java:1613
   multi_filter at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/filters/base.rb:148
    filter_func at (eval):68
   filter_batch at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:267
           each at org/jruby/RubyArray.java:1613
         inject at org/jruby/RubyEnumerable.java:852
   filter_batch at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:265
    worker_loop at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:223
  start_workers at /usr/local/logstash-2.3.4/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:201
[elk@node01 conf]$ 


直接报错
  • 相关阅读:
    EF之POCO应用系列4——延迟加载
    四色原型札记(一)
    HTTP1.1 > HTTP2.0
    【ArangoDB踩坑】字符串查询要加引号
    利用线程池实现多客户端和单服务器端Socket通讯(二):异步编程模型实现
    题目:若干个不重复数,打乱顺序输出
    wtf js(三) number的类型不是number
    wtf js(二)
    算法:给定两个已从小到大排好序的整型数组arrA和arrB,将两个数组合并成arrC,使得arrC也要按从小到大的顺序排好序
    利用线程池实现多客户端和单服务器端Socket通讯(一):同步方式
  • 原文地址:https://www.cnblogs.com/hzcya1995/p/13349645.html
Copyright © 2020-2023  润新知