运维技术交流,查看http-header

logstash时间问题

logstash时间问题

创建索引时间不对问题

参考:https://www.cnblogs.com/zzb666/p/14148898.html

output不用默认nginx-8070-%{+YYYY.MM.dd}时间格式 自定义格式
ruby{
   code => "event.set('index_date', (event.get('@timestamp').time.localtime).strftime('%Y.%m.%d'))"
}

output {
    elasticsearch {
                  hosts => ["172.16.12.88:9200"]
                  #索引解决创建索引时 时区不对的问题
                  index => "nginx-8070-%{index_date}"
                  #index => "nginx-8070-%{+YYYY.MM.dd}"
                  #类型
         codec => plain

          }

}

@timestamp时间问题

# 自定义时间
 ruby { 
   code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)" 
 }
 ruby {
   code => "event.set('@timestamp',event.get('timestamp'))"
 }
    mutate {
        remove_field => ["timestamp"]
        convert => ["request_time", "float"]
    }
}

完整的配置

input {
  beats {
    port => 5044
    #设置编码
    codec => plain
     #当存在多个文件的时候可使用type指定输入输出路径
    }
}

#2.过滤格式化数据阶段

filter {
    grok {
        match => {
            "message" => "%{IP:remote_addr} - (%{WORD:remote_user}|-) \[%{HTTPDATE:time_local}\] \"%{WORD:method} /%{WORD}/%{WORD:dep}/%{WORD:res}%{NOTSPACE:request} HTTP/%{NUMBER:version}\" %{NUMBER:status} %{NUMBER:body_bytes_sent} %{QS} %{QS:http_user_agent} %{QS} \"%{NUMBER:request_time}\" \"%{NUMBER:connection}\" %{QS} %{QS:host}%{QS:request_body}"
        }
    }
    date {
        match => ["time_local", "dd/MMM/yyyy:HH:mm:ss Z"]
        target => "@timestamp"
     }
ruby{
   code => "event.set('index_date', (event.get('@timestamp').time.localtime).strftime('%Y.%m.%d'))"
}

 ruby { 
   code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)" 
 }
 ruby {
   code => "event.set('@timestamp',event.get('timestamp'))"
 }
    mutate {
        remove_field => ["timestamp"]
        convert => ["request_time", "float"]
    }
}
#3.数据输出到ES阶段
output {
    elasticsearch {
                  hosts => ["172.16.12.88:9200"]
                  #索引解决创建索引时 时区不对的问题
                  index => "nginx-8070-%{index_date}"
                  #index => "nginx-8070-%{+YYYY.MM.dd}"
                  #类型
         codec => plain

          }

}