我正在尝试使用 logstash 回填一些过去的 Apache 访问日志数据,因此我需要将事件 @timestamp 设置为出现在日志消息中的日期。这是我当前的 logstash 配置:
input {
tcp {
type => "access_log"
port => 9293
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
# Try to pull the timestamp from the 'timestamp' field (parsed above with
# grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
locale => "en"
timezone => "America/New_York"
match => { "timestamp" => "dd/MMM/yyyy:HH:mm:ss Z" }
add_tag => [ "tsmatch" ]
}
}
output {
stdout { codec => rubydebug }
}
但是,日期过滤器似乎没有更新事件@timestamp,即使 Apache 时间戳被正确捕获并且正则表达式应该匹配它。输出数据如下所示:
{
"message" => "56.116.21.231 - - [20/Nov/2013:22:47:08 -0500] \"GET /xxxx/1.305/xxxx/xxxx.zip HTTP/1.1\" 200 33002333 \"-\" \"xxxxx/3.0.3 CFNetwork/609.1.4 Darwin/13.0.0\"",
"@timestamp" => "2013-12-01T12:54:27.920Z",
"@version" => "1",
"type" => "access_log",
"host" => "0:0:0:0:0:0:0:1%0:51045",
"clientip" => "56.116.21.231",
"ident" => "-",
"auth" => "-",
"timestamp" => "20/Nov/2013:22:47:08 -0500",
"verb" => "GET",
"request" => "/xxxx/1.305/xxxx/xxxx.zip",
"httpversion" => "1.1",
"response" => "200",
"bytes" => "33002333",
"referrer" => "\"-\"",
"agent" => "\"xxxxx/3.0.3 CFNetwork/609.1.4 Darwin/13.0.0\"",
"tags" => [
[0] "tsmatch"
]
}
关于可能出什么问题的任何想法?
我正在使用 logstash-1.2.2 flatjar。
最佳答案
好的,我发现了问题,我在匹配操作中使用了错误的语法:
匹配 => [ "时间戳", "dd/MMM/yyyy:HH:mm:ss Z"]
不是
匹配 => {“时间戳”=>“dd/MMM/yyyy:HH:mm:ss Z”}
关于apache - Logstash 日期过滤器不使用 Apache 时间戳更新 @timestamp,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20312416/