使用日期过滤器将文本字段转换为日期时遇到问题。这是我正在使用的logstash代码:
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => { "message" => "%{TIMESTAMP_DD_MM_YYYY:start_date}%{SPACE}%{TIME:zimbra_proc_start_time}%{SPACE}%{SPACE}%{LOGLEVEL:log_level}%{DATA}%{DAY:day}%{SPACE}%{GREEDYDATA}\n%{DATA}\n%{DATA}\n%{TIMESTAMP_DD_MM_YYYY:end_date}%{SPACE}%{TIME:zimbra_proc_end_time}" }
}
mutate {
add_field => {
"end_date_parse" => "%{end_date} %{zimbra_proc_end_time}"
"start_date_parse" => "%{start_date} %{zimbra_proc_start_time}"
}
}
date {
match => [ "start_date_parse", "HH:mm:ss", "yyyy-MM-dd'T'HH:mm:ss.SSS", "dd MMM yyyy'T'HH:mm:ss.SSS", "dd MMM yyyy HH:mm:ss", "d MMM yyyy HH:mm:ss" ]
target => "zimbra_proc_start_time"
}
date {
match => [ "end_date_parse", "yyyy-MM-dd'T'HH:mm:ss.SSS", "HH:mm:ss", "dd MMM yyyy'T'HH:mm:ss.SSS", "dd MMM yyyy HH:mm:ss", "d MMM yyyy HH:mm:ss" ]
target => "zimbra_proc_end_time"
}
mutate {
remove_field => "end_date_parse"
remove_field => "start_date_parse"
}
此外,看不到_grokparsefailure或_dateparsefailure。因此,日期已正确解析,但在ES中仍将类型报告为关键字。