LogStash:如何在保持相同时间格式的同时复制@timestamp字段? [英] LogStash: How to make a copy of the @timestamp field while maintaining the same time format?
问题描述
我想创建@timestamp
字段的副本,使其使用与@timestamp
相同的格式.
I would like to create a copy of the @timestamp
field such that it uses the same format as @timestamp
.
我尝试了以下操作:
mutate
{
add_field => ["read_time", "%{@timestamp}"]
}
,但是当@timestamp
的格式为:2014-08-01T18:34:46.824Z
,
read_time
的格式为2014-08-01 18:34:46.824 UTC
这是一个问题,因为Kibana不了解直方图的"UTC"格式.
This is an issue as Kibana doesn't understand the "UTC" format for histograms.
有没有办法使用日期过滤器来做到这一点?
Is there a way using the date filter to do this?
推荐答案
Kibana无法理解,因为read_time
字段是字符串,而不是时间戳!
您可以使用ruby
过滤器执行所需的操作.只需将@timestamp复制到新字段read_time
中,并且该字段的时间在 timestamp 中,而不是字符串. add_field
将添加一个具有字符串类型的新字段!
Kibana can't understand because the read_time
field is a string, not a timestamp!
You can use ruby
filter to do what you need. Just copy the @timestamp to a new field read_time
and the field time is in timestamp, not string. The add_field
is add a new field with string type!
这是我的配置:
input {
stdin{}
}
filter {
ruby {
code => "event['read_time'] = event['@timestamp']"
}
mutate
{
add_field => ["read_time_string", "%{@timestamp}"]
}
}
output {
stdout {
codec => "rubydebug"
}
}
您可以尝试查看输出,输出为:
You can try and see the output, the output is:
{
"message" => "3243242",
"@version" => "1",
"@timestamp" => "2014-08-08T01:09:49.647Z",
"host" => "BENLIM",
"read_time" => "2014-08-08T01:09:49.647Z",
"read_time_string" => "2014-08-08 01:09:49 UTC"
}
希望这可以为您提供帮助.
Hope this can help you.
这篇关于LogStash:如何在保持相同时间格式的同时复制@timestamp字段?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!