elasticsearch - 无法在ELK 5.4上正确解析timetstamp

标签 elasticsearch logstash kibana elasticsearch-5 kibana-5

我正在使用最后一个ELK堆栈(5.4.0)。我正在解析一些Apache日志。
用Elasticsearch 2.4.5和kibana 4.6.4都可以

确定版本

apache 173.252.115.89 - - [29/May/2017:09:59:13 +0200] "GET /fr/fia/nodes.rss HTTP/1.1" 200 19384 "-" "facebookexternalhit/1.1" "-" 756752 "*/*" monsite.com

通过以下grok conf完美地输入了elasticsearch
grok {
          match => { "message" => "%{WORD:program} %{COMBINEDAPACHELOG} \"((?<x_forwarded_for>%{IP:xff_clientip}.*)|-)\" %{NUMBER:request_time:float} %{QUOTEDSTRING:accept} %{IPORHOST:targethost}"}
        }
        date {
           match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
        }

与以下kibana conf
enter image description here

问题

使用ELK 5.4,我得到的消息完全相同(来自重复的rabbitmq队列),相同的logstash conf和“全新安装”,但我得到了

elasticsearch日志
[2017-05-29T10:17:58,498][DEBUG][o.e.a.b.TransportShardBulkAction] [srv-elk-01] [logstash-2017.05.29][1] failed to execute bulk item (index) BulkShardRequest [[logstash-2017.05.29][1]] containing
 [16] requests
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [timestamp]
        at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:298) ~[elasticsearch-5.4.0.jar:5.4.0]
...
at org.elasticsearch.index.mapper.DateFieldMapper.parseCreateField(DateFieldMapper.java:468) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:287) ~[elasticsearch-5.4.0.jar:5.4.0]
        ... 40 more

logstash日志
[2017-05-29T10:17:58,503][WARN ][logstash.outputs.elasticsearch] Failed action. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2017.05.29", :_type=>"syslog", :_routing=>nil}, 2017-05-29T08:17:57.000Z 212.95.67.139 apache 212.95.70.118 - - [29/May/2017:10:17:57 +0200] "GET /de/tag/opera HTTP/1.1" 200 8948 "-" "TurnitinBot (https://turnitin.com/robot/crawlerinfo.html)" "199.47.87.143, 199.47.87.143" 784504 "text/*,application/*" monsite.com], :response=>{"index"=>{"_index"=>"logstash-2017.05.29", "_type"=>"syslog", "_id"=>"AVxTSHzL1K94bfQE3eaM", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [timestamp]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29/May/2017:10:17:57 +0200\" is malformed at \"/May/2017:10:17:57 +0200\""}}}}}

我的kibana conf是
enter image description here

最佳答案

好吧,Kibana的最新版本不使用timestamp字段,因此已弃用。
在logstash conf文件中使用“日期”。
有关更多详细信息,请参见此处:
timestamp

关于elasticsearch - 无法在ELK 5.4上正确解析timetstamp,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44238024/

上一篇:c++ - 在 Sound 实际完成之前触发 OnSoundFinished

下一篇:elasticsearch - Elasticsearch geohash_grid返回1个文档计数,但查询返回很多

相关文章:

elasticsearch - 查询 Elasticsearch 时没有匹配项

solr - 查询Lucene中的任何字段?

elasticsearch - 我可以只使用elasticsearch来使用Grafana吗?

elasticsearch - Kibana 连接两个独立的事件

database - 在通配符前面的 Elasticsearch 中找到句号

python - Elasticsearch Kibana TimeStamp key 丢失

ruby-on-rails - Elasticsearch 6.3.2术语匹配空数组 “plus”其他

elasticsearch - 即使在使用单例模式后也能看到许多打开的 Elasticsearch 连接

c# - 在NEST中创建IndexName的实例

Logstash 文件输入 glob 不起作用

©2024 IT工具网  联系我们