那些遇到过的问题

小编use*_*418的帖子

Logstash用syslog日期替换@timestamp

我有点困惑.我正试图拔出syslog date (backfilling the logstash)并替换@timestamp它.我几乎尝试了一切.

这是我的过滤器

filter {
   if [type] == "syslog" {
   grok {
     match => {
"message" => ["%{SYSLOGTIMESTAMP:DATETIME} %{WORD:SERVER} (?<BINARY>(.*?)(php\-cgi|php))\: %{DATA:PHP_ERROR_TYPE}\:\s\s(?<PHP_ERROR_DESC>(.*?)(e\s\d))""]
  }
}

date {
  match => { "DATETIME" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] }
  target => "@timestamp"
  add_tag => [ "tmatch" ]
}

if !("_grokparsefailure" in [tags]) {
  mutate {
    replace => [ "@source_host", "%{SERVER}" ]
  }
}
mutate {
  remove_field => [ "SERVER" ]
}
} …
Run Code Online (Sandbox Code Playgroud)

timestamp syslog filter logstash logstash-grok

use*_*418
2017 12-22
8
推荐指数
2
解决办法
4万
查看次数

标签 统计

filter ×1

logstash ×1

logstash-grok ×1

syslog ×1

timestamp ×1