【发布时间】:2018-03-17 15:40:34
【问题描述】:
我在 elasticsearch/filebeat 的 @timestamp 字段中得到错误的值。 我的 filebeat 管道定义
curl -H 'Content-Type: application/json' -XPUT "logger:9200/_ingest/pipeline/app_log" -d'
{
"description" : "Ingest pipeline for Jetty server log",
"processors" : [
{
"grok": {
"field": "message",
"patterns": ["%{TIMESTAMP_ISO8601:timestamp} (%{UUID:accessid})? \\[(?<threadname>[^\\]]+)\\] %{LOGLEVEL:level} %{DATA:classname} - %{GREEDYDATA:message}"]
}
},
{
"date": {
"field": "timestamp",
"formats": [ "yyyy-mm-dd H:m:s,SSS" ]
}
}
],
"on_failure" : [{
"set" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}]
}'
一些示例记录器行的模拟结果。 (使用 logback 配置)
curl -H 'Content-Type: application/json' -XPOST "logger:9200/_ingest/pipeline/app_log/_simulate?pretty" -d'
{
"docs": [
{
"_source": {
"message": "2018-03-17 22:38:39,079 bab3157d-a11c-4dba-a6d6-c47ae0de2b7f [qtp224100622-174782] INFO i.n.core.services.cache.CacheBuilder - Key : ChIJrTTTJkdsrjsRXkrYRKRRfd8-seo-localitiesv1 is returned from cache"
}
},
{
"_source": {
"message": "2017-12-12 01:14:12,079 [qtp224100622-185269] WARN i.n.m.cache.sdk.RedisCacheProvider - No matching policy: class in.nobroker.core.domain.Token"
}
}
]
}'
这个模拟的结果:
{“文档”:[ { “文档”:{ "_index" : "_index", “_type”:“_type”, “_id”:“_id”, “_来源” : { “accessid”:“bab3157d-a11c-4dba-a6d6-c47ae0de2b7f”, "@timestamp" : "2018-01-17T22:38:39.079Z", “类名”:“i.n.core.services.cache.CacheBuilder”, “级别”:“信息”, "message" : "Key : ChIJrTTTJkdsrjsRXkrYRKRRfd8-seo-localitiesv1 从缓存中返回", “时间戳”:“2018-03-17 22:38:39,079”, “线程名”:“qtp224100622-174782” }, “_摄取”:{ “时间戳”:“2018-03-17T15:35:35.543Z” } } }, { “文档”:{ "_index" : "_index", “_type”:“_type”, “_id”:“_id”, “_来源” : { "@timestamp" : "2017-01-12T01:14:12.079Z", “类名”:“i.n.m.cache.sdk.RedisCacheProvider”, “级别”:“警告”, "message" : "没有匹配的策略:类 in.nobroker.core.domain.Token", “时间戳”:“2017-12-12 01:14:12,079”, “线程名”:“qtp224100622-185269” }, “_摄取”:{ “时间戳”:“2018-03-17T15:35:35.543Z” } } } ] }
请注意@timestamp 字段与时间戳字段完全不同。
【问题讨论】:
标签: logstash logstash-grok filebeat