时间处理(Date)
之前章节已经提过,
filters/date 插件可以用来转换你的日志记录中的时间字符串,变成 LogStash::Timestamp 对象,然后转存到 @timestamp 字段里
output {
if [type] == "zj_frontend_access"{
elasticsearch {
hosts => "192.168.32.80:9200"
index => "logstash-zjzc-frontend-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
else if [type] == "wj_frontend_access"{
elasticsearch {
hosts => "192.168.32.81:9200"
index => "logstash-wj-frontend-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
}
注意:因为在稍后的 outputs/elasticsearch 中常用的 %{+YYYY.MM.dd} 这种写法必须读取 @timestamp 数据,
所以一定不要直接删掉这个字段保留自己的字段,而是应该用 filters/date 转换后删除自己的字段!
[elk@zjtest7-frontend config]$ ../bin/logstash -f stdin02.conf
Settings: Default pipeline workers: 1
Pipeline main started
12/Sep/2016:21:32:33 +0800
{
"message" => "12/Sep/2016:21:32:33 +0800",
"@version" => "1",
"@timestamp" => "2016-09-13T02:00:19.890Z",
"host" => "0.0.0.0",
"logdate" => "12/Sep/2016:21:32:33 +0800"
}
[elk@zjtest7-frontend config]$ cat stdin02.conf
input {
stdin {
}
}
filter {
grok {
match => ["message", "%{HTTPDATE:logdate}"]
}
# date {
# match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
# add_field =>["response_time","%{logdate}"]
# }
}
output {
stdout {
codec=>rubydebug{}
}
}
使用date插件:
[elk@zjtest7-frontend config]$ cat stdin02.conf
input {
stdin {
}
}
filter {
grok {
match => ["message", "%{HTTPDATE:logdate}"]
}
date {
match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
add_field =>["response_time","%{logdate}"]
}
}
output {
stdout {
codec=>rubydebug{}
}
}
[elk@zjtest7-frontend config]$ ../bin/logstash -f stdin02.conf
Settings: Default pipeline workers: 1
Pipeline main started
12/Sep/2016:21:32:33 +0800
{
"message" => "12/Sep/2016:21:32:33 +0800",
"@version" => "1",
"@timestamp" => "2016-09-12T13:32:33.000Z",
"host" => "0.0.0.0",
"logdate" => "12/Sep/2016:21:32:33 +0800",
"response_time" => "12/Sep/2016:21:32:33 +0800"
}