麻烦log log @timestamp [英] Trouble with log stash @timestamp
问题描述
我的输入文件看起来像这样...(到目前为止一行)
Chckpoint 502 10.189.7.138允许18 2015年3月15:00:01
我的代码看起来像这样..
input {
file {
path => / usr / local / bin / firewall_log
}
}
过滤器{
grok {
match => {message,%{WORD:type}%{NUMBER:nums}%{IP:sourceip}%{WORD:Action}}
add_tag => checkpoint
}
date {
match => {DATETIME=> %{dd mmm yyyy hh:mm:ss}}
target => @timestamp
}
}
输出{
elasticsearch {host => localhost}
当我运行它,我得到以下结果
message=> Chckpoint 502 10.189.7.138允许2015年3月18日15:00:01,
@version=> 1,
@timestamp=> 2015-04-30T19:02:21.663Z,
host=> UOD-220076,
path=> / usr / local / bin / firewall_log,
type=> Chckpoint,
nums=> 502,
sourceip=> 10.189.7.138,
Action=> 允许,
tags=> [
[0]checkpoint
这是很好的EXCEPT的时间戳 - 它显示今天的日期,但我想要做的是将时间戳设置为日志文件中的时间戳,在这种情况下,2015年3月18日15:00:01。
请帮助。
这是{}过滤器将为您做的事情,如果你给它的权利信息
首先,为您的时间戳定义自定义模式:
MYTIMESTAMP%{MONTHDAY}%{MONTH}%{YEAR}%{TIME}
然后添加到你的grok模式,所以你得到一个新的领域:
%{WORD:type}%{NUMBER:nums}%{IP :sourceip}%{WORD:Action}%{MYTIMESTAMP:mytime}
然后你可以传递mytime变量到日期过滤器:
date {
match => {mytime=> dd MM YYYY HH:mm:ss}
}
I have set up ELK on my laptop and I am having trouble with the timestamp field. My input file looks like this ... (one line so far)
Chckpoint 502 10.189.7.138 Allow 18 Mar 2015 15:00:01
My code looks like this ..
input {
file {
path => "/usr/local/bin/firewall_log"
}
}
filter {
grok {
match => {"message", "%{WORD:type} %{NUMBER:nums} %{IP:sourceip} %{WORD:Action}"}
add_tag => "checkpoint"
}
date {
match => {"DATETIME" => "%{dd mmm yyyy hh:mm:ss}"}
target => "@timestamp"
}
}
output {
elasticsearch { host => localhost }
When I run it, I get the following result
"message" => "Chckpoint 502 10.189.7.138 Allow 18 Mar 2015 15:00:01 ",
"@version" => "1",
"@timestamp" => "2015-04-30T19:02:21.663Z",
"host" => "UOD-220076",
"path" => "/usr/local/bin/firewall_log",
"type" => "Chckpoint",
"nums" => "502",
"sourceip" => "10.189.7.138",
"Action" => "Allow",
"tags" => [
[0] "checkpoint"
This is fine EXCEPT for the timestamp - it shows todays date but what I want it to do is set the timestamp to what is in the log file, in this case, 18 Mar 2015 15:00:01. Help please.
That's what the date{} filter will do for you, if you give it the right info.
First, define a custom pattern for your timestamp:
MYTIMESTAMP %{MONTHDAY} %{MONTH} %{YEAR} %{TIME}
Then add it to your grok pattern so you get a new field:
%{WORD:type} %{NUMBER:nums} %{IP:sourceip} %{WORD:Action} %{MYTIMESTAMP:mytime}
Then you can pass the mytime variable to the date filter:
date {
match => {"mytime" => "dd MM YYYY HH:mm:ss"}
}
这篇关于麻烦log log @timestamp的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!