我正在尝试使用ELK堆栈解析日志。以下是我的示例日志
2015-12-11 12:05:24+0530 [process] INFO: process 0.24.5 started
我正在使用以下grok
grok{
match => {"message" => "(?m)%{TIMESTAMP_ISO8601:processdate}\s+\[%{WORD:name}\]\s+%{LOGLEVEL:loglevel}"}
}
我的 Elasticsearch 映射是
{
"properties": {
"processdate":{
"type": "date",
"format" : "yyyy-MM-dd HH:mm:ss+SSSS"
},
"name":{"type" : "string"},
"loglevel":{"type" : "string"},
}
}
但是当加载到Elastic search中时,我遇到了错误,
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [processdate]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2015-12-11 12:05:39+0530\" is malformed at \" 12:05:39+0530\""}}}}, :level=>:warn}
如何将其修改为适当的数据格式?我在 Elasticsearch 中添加了正确的日期格式。
更新: localhost:9200 / log
{"log":{"aliases":{},"mappings":{"filelog":{"properties":{"processdate":{"type":"date","format":"yyyy-MM-dd' 'HH:mm:ssZ"},"loglevel":{"type":"string"},"name":{"type":"string"}}}},"settings":{"index":{"creation_date":"1458218007417","number_of_shards":"5","number_of_replicas":"1","uuid":"_7ffuioZS7eGBbFCDMk7cw","version":{"created":"2020099"}}},"warmers":{}}}
最佳答案
您收到的错误表示您的日期格式不正确。固定这样的日期格式,即在结尾处使用Z(时区),而不是+SSSS(秒数):
{
"properties": {
"processdate":{
"type": "date",
"format" : "yyyy-MM-dd HH:mm:ssZ"
},
"name":{"type" : "string"},
"loglevel":{"type" : "string"}
}
}
另外,根据我们之前的交流,您的
elasticsearch输出插件缺少document_type设置,因此应这样配置,以便利用您的自定义filelog映射类型(否则,将使用默认的logs类型,而您的自定义映射类型为没踢):output {
elasticsearch {
hosts => ["172.16.2.204:9200"]
index => "log"
document_type => "filelog"
}
}
关于elasticsearch - ELK中的日期时间解析,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36060412/