更改由已过滤或聚合过滤器创建的事件日期 [英] Change date on event created by Elapsed or Aggregate filters
问题描述
当过滤器使用 new_event_on_match 时,会创建一个新的时间戳记。总结过滤器也会添加一个新的时间戳记。
When using new_event_on_match with elapsed filter a new event is created, with a fresh timestamp. The Aggregate filter adds a new event with a fresh timestamp as well.
我想使用原始事件的时间戳,现在可以在 elapsed_timestamp_start 。如何在新创建的事件中替换 @timestamp ?
I would like to use the timestamp from the original events, which is now available in the field elapsed_timestamp_start. How can I replace @timestamp in the newly created event?
我可以使用日期过滤器内已过期过滤器
Can I use a Date filter inside an Elapsed filter?
推荐答案
p>对于初学者,请注意,只有过去过滤器会创建一个新事件,聚合过滤器不会将推送到目前为止最后一个事件的任何信息。
For starters, just note that only the elapsed filter creates a new event, the aggregate filter doesn't and will push whatever information has been aggregated so far into the last event.
为了提供一些上下文,您之前提到的问题是这是一个。
In order to provide some context, the previous question you're referring to is this one.
你可以实现你想要的,简单地通过在最后一个过去之后添加一个过滤器)日期过滤器,以便修改上游新创建的事件过滤器过滤器。另请注意,我们首先需要将 elapsed_timestamp_start 字段转换为字符串,然后再尝试匹配日期,因为它是一个Logstash时间戳对象(由$ code创建)
You can achieve what you want, simply by adding a date filter just after the last elapsed filter, so as to modify the event newly created by the upstream elapsed filter. Also note that we first need to convert the elapsed_timestamp_start field to a string before trying to match the date because it's a Logstash timestamp object (created by the elapsed filter)
if "elapsed" in [tags] {
mutate {
convert => {"elapsed_timestamp_start" => "string"}
}
date {
match => ["elapsed_timestamp_start", "ISO8601"]
}
}
这篇关于更改由已过滤或聚合过滤器创建的事件日期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
