logstash时间问题
创建索引时间不对问题
参考:https://www.cnblogs.com/zzb666/p/14148898.html
output不用默认nginx-8070-%{+YYYY.MM.dd}时间格式 自定义格式
ruby{
code => "event.set('index_date', (event.get('@timestamp').time.localtime).strftime('%Y.%m.%d'))"
}
output {
elasticsearch {
hosts => ["172.16.12.88:9200"]
#索引解决创建索引时 时区不对的问题
index => "nginx-8070-%{index_date}"
#index => "nginx-8070-%{+YYYY.MM.dd}"
#类型
codec => plain
}
}
@timestamp时间问题
# 自定义时间
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
ruby {
code => "event.set('@timestamp',event.get('timestamp'))"
}
mutate {
remove_field => ["timestamp"]
convert => ["request_time", "float"]
}
}
完整的配置
input {
beats {
port => 5044
#设置编码
codec => plain
#当存在多个文件的时候可使用type指定输入输出路径
}
}
#2.过滤格式化数据阶段
filter {
grok {
match => {
"message" => "%{IP:remote_addr} - (%{WORD:remote_user}|-) \[%{HTTPDATE:time_local}\] \"%{WORD:method} /%{WORD}/%{WORD:dep}/%{WORD:res}%{NOTSPACE:request} HTTP/%{NUMBER:version}\" %{NUMBER:status} %{NUMBER:body_bytes_sent} %{QS} %{QS:http_user_agent} %{QS} \"%{NUMBER:request_time}\" \"%{NUMBER:connection}\" %{QS} %{QS:host}%{QS:request_body}"
}
}
date {
match => ["time_local", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
ruby{
code => "event.set('index_date', (event.get('@timestamp').time.localtime).strftime('%Y.%m.%d'))"
}
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
ruby {
code => "event.set('@timestamp',event.get('timestamp'))"
}
mutate {
remove_field => ["timestamp"]
convert => ["request_time", "float"]
}
}
#3.数据输出到ES阶段
output {
elasticsearch {
hosts => ["172.16.12.88:9200"]
#索引解决创建索引时 时区不对的问题
index => "nginx-8070-%{index_date}"
#index => "nginx-8070-%{+YYYY.MM.dd}"
#类型
codec => plain
}
}
Dead pent written content, Really enjoyed studying. Gavin Wery