LogStash:如何在保持相同时间格式的同时复制@timestamp字段? [英] LogStash: How to make a copy of the @timestamp field while maintaining the same time format?

问题描述

我想创建@timestamp字段的副本，使其使用与@timestamp相同的格式.

I would like to create a copy of the @timestamp field such that it uses the same format as @timestamp.

我尝试了以下操作:

mutate
{
    add_field => ["read_time", "%{@timestamp}"]
}

，但是当@timestamp的格式为:2014-08-01T18:34:46.824Z，

read_time的格式为2014-08-01 18:34:46.824 UTC

这是一个问题，因为Kibana不了解直方图的"UTC"格式.

This is an issue as Kibana doesn't understand the "UTC" format for histograms.

有没有办法使用日期过滤器来做到这一点?

Is there a way using the date filter to do this?

推荐答案

Kibana无法理解，因为read_time字段是字符串，而不是时间戳！ 您可以使用ruby过滤器执行所需的操作.只需将@timestamp复制到新字段read_time中，并且该字段的时间在 timestamp 中，而不是字符串. add_field将添加一个具有字符串类型的新字段！

Kibana can't understand because the read_time field is a string, not a timestamp! You can use ruby filter to do what you need. Just copy the @timestamp to a new field read_time and the field time is in timestamp, not string. The add_field is add a new field with string type!

这是我的配置:

input {
    stdin{}
}

filter {
    ruby {
            code => "event['read_time'] = event['@timestamp']"
    }
    mutate
    {
        add_field => ["read_time_string", "%{@timestamp}"]
    }
}

output {
    stdout {
        codec => "rubydebug"
    }
}

您可以尝试查看输出，输出为:

You can try and see the output, the output is:

{
   "message" => "3243242",
  "@version" => "1",
"@timestamp" => "2014-08-08T01:09:49.647Z",
      "host" => "BENLIM",
 "read_time" => "2014-08-08T01:09:49.647Z",
"read_time_string" => "2014-08-08 01:09:49 UTC"
}

希望这可以为您提供帮助.

Hope this can help you.

这篇关于LogStash:如何在保持相同时间格式的同时复制@timestamp字段?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！