问题
I have set up ELK on my laptop and I am having trouble with the timestamp field. My input file looks like this ... (one line so far)
Chckpoint 502 10.189.7.138 Allow 18 Mar 2015 15:00:01
My code looks like this ..
input {
file {
path => "/usr/local/bin/firewall_log"
}
}
filter {
grok {
match => {"message", "%{WORD:type} %{NUMBER:nums} %{IP:sourceip} %{WORD:Action}"}
add_tag => "checkpoint"
}
date {
match => {"DATETIME" => "%{dd mmm yyyy hh:mm:ss}"}
target => "@timestamp"
}
}
output {
elasticsearch { host => localhost }
When I run it, I get the following result
"message" => "Chckpoint 502 10.189.7.138 Allow 18 Mar 2015 15:00:01 ",
"@version" => "1",
"@timestamp" => "2015-04-30T19:02:21.663Z",
"host" => "UOD-220076",
"path" => "/usr/local/bin/firewall_log",
"type" => "Chckpoint",
"nums" => "502",
"sourceip" => "10.189.7.138",
"Action" => "Allow",
"tags" => [
[0] "checkpoint"
This is fine EXCEPT for the timestamp - it shows todays date but what I want it to do is set the timestamp to what is in the log file, in this case, 18 Mar 2015 15:00:01. Help please.
回答1:
That's what the date{} filter will do for you, if you give it the right info.
First, define a custom pattern for your timestamp:
MYTIMESTAMP %{MONTHDAY} %{MONTH} %{YEAR} %{TIME}
Then add it to your grok pattern so you get a new field:
%{WORD:type} %{NUMBER:nums} %{IP:sourceip} %{WORD:Action} %{MYTIMESTAMP:mytime}
Then you can pass the mytime variable to the date filter:
date {
match => {"mytime" => "dd MM YYYY HH:mm:ss"}
}
来源:https://stackoverflow.com/questions/29975826/trouble-with-log-stash-timestamp